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Preface 


The 14th International Conference on the Theory and Applications of Cryp- 
tology and Information Security — ASIACRYPT 2008 — was held in Melbourne 
during December 7-11, 2008. The conference was sponsored by the International 
Association for Cryptologic Research (IACR) in cooperation with the Center for 
Advanced Computing - Cryptography and Algorithms (AC AC), Macquarie Uni- 
versity, Deakin University, the Research Network for a Secure Australia (RNSA) 
and SECIA. ASIACRYPT 2008 was chaired by Lynn Batten and I had the honor 
of serving as the Program Chair. 

There were 208 submissions from which 12 papers were withdrawn. Each 
paper got assigned to at least three referees. Papers submitted by the members 
of the Program Committee got assigned to five referees. In the first stage of the 
review process, the submitted papers were read and evaluated by the Program 
Committee members and then in the second stage, the papers were scrutinized 
during an extensive discussion. Finally, the Program Committee chose 33 papers 
to be included in the conference program. The authors of the accepted papers 
had three weeks for revision and preparation of final versions. The revised papers 
were not subject to editorial review and the authors bear full responsibility for 
their contents. 

The Program Committee selected three best papers. They were: “Speeding 
up Pollard Rho Method on Prime Fields” by Jung Hee Cheon, Jin Hong, and 
Minkyu Kim, “A Modular Security Analysis of the TLS Handshake Protocol” 
by Paul Morrissey, Nigel P. Smart and Bogdan Warinschi and “Breaking the 
F-FCSR-H Stream Cipher in Real Time” by Martin Hell and Thomas Johansson. 
The authors of the three papers were invited to submit the full versions of their 
papers to the Journal of Cryptology. The authors of the first paper, Jung Hee 
Cheon, Jin Hong and Minkyu Kim, were recipients of the Best Paper Award. 

The conference program included two invited lectures by Andrew Chi-Chih 
Yao and John Cannon. Andrew Chi-Chih Yao spoke about “Some Perspectives 
on Complexity-Based Cryptography” and an abstract has been included in the 
proceedings. 

There are many people who contributed to the success of ASIACRYPT 2008. 
First I would like to thank the authors of all papers (both accepted and rejected) 
for submitting their papers to the conference. A special thanks go to the mem- 
bers of the Program Committee and the external referees who gave their time, 
expertise and enthusiasm in order to ensure that each paper received a thor- 
ough and fair review. I am grateful to Andy Clark, Helena Handschuh, Arjen 
Lenstra and Bart Preneel for their support and advice; I thank Vijayakrishnan 
Pasupathinathan for taking care of the iChair server and Michelle Kang and 
Judy Chow for maintenance of the conference website. Shai Halevi deserves our 
thanks for the registration site. Judy Chow, the conference secretary is warmly 
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thanked for her enormous contribution responding to participant queries and 
on site at the conference registration. I would like to thank Matthieu Finiasz 
and Thomas Baigneres from EPFL, LASEC, Switzerland for letting us use their 
iChair software that was used not only as the submission server but also fa- 
cilitated the review and discussion process. Finally, I would like to thank Ed 
Dawson for organizing a traditional Rump Session. 


December 2008 Josef Pieprzyk 
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MPC vs. SFE : 

Unconditional and Computational Security 1 


Martin Hirt, Ueli Maurer, and Vassilis Zikas 

Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland 
{hirt , maurer , vzikas}&inf . ethz . ch 


Abstract. In secure computation among a set V of players one considers an 
adversary who can corrupt certain players. The three usually considered types 
of corruption are active, passive, and fail corruption. The adversary’s corruption 
power is characterized by a so-called adversary structure which enumerates the 
adversary’s corruption options, each option being a triple (A, E. F) of subsets of 
V, where the adversary can actively corrupt the players in A, passively corrupt 
the players in E, and fail-corrupt the players in F. 

This paper is concerned with characterizing for which adversary structures 
general secure function evaluation (SFE) and secure (reactive) multi-party com- 
putation (MPC) is possible, in various models. This has been achieved so far only 
for the very special model of perfect security, where, interestingly, the conditions 
for SFE and MPC are distinct. Such a separation was first observed by Ishai et al. 
in the context of computational security. We give the exact conditions for general 
SFE and MPC to be possible for information-theoretic security (with negligible 
error probability) and for computational security, assuming a broadcast channel, 
with and without setup. In all these settings we confirm the strict separation be- 
tween SFE and MPC. As a simple consequence of our results we solve an open 
problem for computationally secure MPC in a threshold model with all three cor- 
ruption types. 


1 Introduction 

Secure Function Evaluation and Secure Multi-Party Computation. Secure function 
evaluation (SFE) allows a set V = {p\ , . . . , p n } of n players to compute an arbitrary 
agreed function / of their inputs x\ , . . . , x n in a secure way. (Reactive) secure multi- 
party computation (MPC) is a generalization of SFE where the function to be computed 
is “reactive”: players can give inputs and get outputs several times during the computa- 
tion. If one models SFE and MPC as ideal functionalities, then the main difference is 
that in MPC (but not in SFE) the functionality must be able to keep state. 

The potential dishonesty of players is modeled by a central adversary corrupting 
players, where players can be actively corrupted (the adversary takes full control over 
them), passively corrupted (the adversary can read their internal state), or fail-corrupted 

* This research was partially supported by the Swiss National Science Foundation (SNF), 
project no. 200020-113700/1 and by the Zurich Information Security Center (ZISC). 
The full version of this paper is available at http://www.crypto.ethz.ch/pubs/HiMaZi08. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. l-fig^OOg. 

© International Association for Cryptologic Research 2008 
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(the adversary can make them crash at any suitable time). A crashed player stops send- 
ing any messages, but the adversary cannot read the internal state of the player (unless 
he is actively or passively corrupted at the same time). 

Summary of Known Results. SFE (and MPC) was introduced by Yao llYa o82il. The 
first general solutions were given by Goldreich, Micali, and Wigderson IGMW87I : 
these protocols are secure under some intractability assumptions. Later solu- 
tions IBGW88I ICGD88I provide information-theoretic security. In particular, it is 
remarkable that if a (physical) broadcast channel is assumed, strictly more powerful 
adversaries can be tolerated llRB89llbea c ) 1 1. 

In the seminal papers solving the general SFE and MPC problems, the adversary 
is specified by a single corruption type (active or passive) and a threshold t on the 
tolerated number of corrupted players. Goldreich, Micali, and Wigderson IIGMW87I 
proved that, based on cryptographic intractability assumptions, general secure MPC 
is possible if and only if t < n/2 players are actively corrupted, or, alternatively, if 
and only if t < n players are passively corrupted. In the information-theoretic model, 
Ben-Or, Goldwasser, and Wigderson lIBGWsM and independently Chaum, Crepeau, 
and Damgard HCCD88I proved that unconditional security is possible if and only 
if t < n/3 for active corruption and t < n/2 for passive corruption. Finally, in 
IIGMW871 GL(]2 lGol()4l it was shown that, based on cryptographic intractability as- 
sumptions, any number of active cheaters ( t < n ) can be tolerated for SFE, but only if 
we sacrifice fairness and guaranteed delivery of the output ICle8fjl . Some of the above 
results were unified, and extended to include fail-corruption, in I1FHM98I : perfectly se- 
cure MPC (and SFE) is achievable if and only if 3t a +2t p +tf < n, and unconditionally 
secure MPC (SFE) (without a trusted setup or a broadcast channel) is achievable if and 
only if 2 t a + 2 t p + tf < n and 3t n + tf < n, where t a , t p , and tf denote the upper 
bounds on the number of actively, passively, and fail-corrupted players, respectively. 
These results consider an adversary who can perform all three corruption types simul- 
taneously. For the computational-security case, Ishai et al. IlfKLPOd gave a protocol 
for SFE which tolerates an adversary who can either corrupt t a < n/2 players actively, 
or, alternatively, t p < n players passively. They also showed that such an adversary 
cannot be tolerated for MPC. 

Generalizing threshold models, the adversary’s corruption power can be character- 
ized by a so-called adversary structure which enumerates the adversary’s corruption 
options, each option being a triple ( A , E, F) of subsets of V, where the adversary can 
actively corrupt the players in A, passively corrupt the players in E, and fail-corrupt 
the players in F. Of course, the adversary’s choice of the option is secret and a protocol 
must tolerate any choice by the adversary. 

General adversary structures were first considered in lHrLM97l IRMOOII for active-only 
and passive-only corruption. General mixed-corruption (active and passive) adversary 
structures were consid ered in llPHM t )9l . The full generality, including fail-corruption, 
was first considered in liBFH+08l , where only the perfect-security case could be solved, 
both for SFE and MPC. An interesting aspect of those results is the separation between 
SFE and MPC: the condition for SFE is strictly weaker than the condition for MPC. 
This can also be seen as a justification for the most general mixed corruption models. 
Such a separation was previously observed for the perfect-security case BAlt99B and, as 
already mentioned, for the computational-security case H1KI.P06I I. 
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Contributions of this Paper. We prove the exact conditions for general SFE and MPC 
to be possible, in the most general mixed adversary model, with synchronous com- 
munication, and where a broadcast channel is assumed. We consider the most natural 
and desirable security notion, where full security (including fairness and guaranteed 
output delivery) is required. We solve the two cases of general interest: unconditional 
(information-theoretic with negligible error probability) security and computational se- 
curity, both with and without setup. We show a strict separation between SFE and MPC. 

Our results imply that for the threshold model with all three corruption types simul- 
taneously, and for computational security, SFE and MPC are possible if and only if 
2 t a + t p + tf < n. As in HFHM98I1 there is no separation in this model. 

Outline of this paper. In Section 2 we describe the model. In Sections 3,4,5 and 6 we 
handle the unconditional-security case; in particular, in Sections 3 and 4 we describe 
techniques and sub-protocols that are used for the construction of MPC and SFE pro- 
tocols described in Sections 5 and 6, respectively. Finally, in Section 7 we handle the 
computational-security case. 


2 The Model 

We consider a set V = {pi, . . . , p n } of players. Some of these players can be cor- 
rupted by the adversary. We consider active corruption (the adversary takes full con- 
trol), passive corruption (the adversary can read the internal state), and fail-corruption 
(the adversary can make the player crash). We use the following characterizations for 
players: a player that is not corrupted is called uncorrupted, a player that (so far) 
has followed the protocol instructions is called correct, and a player that has devi- 
ated from the protocol (e.g., has crashed or has sent wrong messages) is called incor- 
rect. The adversary’s corruption capability is characterized by an adversary structure 
Z = {(Ai,Ei,Fi), . . ., ( A m , E m , F m )} (for some m) which is a monotone set of 
triples of player sets. At the beginning of the protocol, the adversary chooses a triple 
Z * = ( A*,E*,F *) £ Z and actively corrupts the players in A*, passively corrupts 
the players in E* (eavesdropping), and fail-corrupts the players in f 'Q this triple is 
called the actual adversary class or simply the actual adversary. Note that Z* is not 
known to the honest players and appears only in the security analysis. A protocol is 
called Z -secure if it is secure against an adversary with corruption power character- 
ized by Z. For notational simplicity we assume that ACE and A C F for any 
(A, E, F ) G Z, since an actively corrupted player can behave as being passively or 
fail-corrupted. Furthermore, as many constructions only need to consider the maximal 
classes of a structure, we define the maximal structure Z as the smallest subset of Z 
such that V(A, E,F) £ Z 3(A, E,F) eZ : A C A, E C E, F C F. 

Communication takes place over a complete network of secure channels. Further- 
more, we assume authenticated broadcast channels, which allow every p t £ V to 
consistently send an authenticated message to all players in V. All communication is 
synchronous, i.e., the delays in the network are upper-bounded by a known constant. 
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In the computational model (Section 0, the secrecy of the bilateral channels can be 
implemented by using encryption, where the public keys are distributed using the au- 
thenticated broadcast channels. We mention that in a model with simultaneous active 
and passive corruption, the authenticity cannot easily be implemented using setup, as 
the adversary can forge signatures of passively corrupted players. Also implementing the 
authenticated broadcast channels by point-to-point communication seems non-trivial, as 
it must be guaranteed that fail-corrupted players send either the right value or no value 
(but not a wrong value), and that passively corrupted players always send the right value. 

To simplify the description, we adopt the following convention: Whenever a player 
does not receive an expected message (over a bilateral or a broadcast channel), or re- 
ceives a message outside of the expected range, then the special symbol _L^ F is taken 
for this message. Note that after a player has crashed, he only sends _L. 

The function to be computed is described as an arithmetic circuit over some finite 
field F, consisting of addition (or linear) gates and multiplication gates. Our protocols 
take as input the player’s inputs and additionally the maximal adversary structure. The 
running time of the suggested protocols is polynomial in the size of their inputfl and 
the error probability is negligible. 

3 Information Checking 

An actively corrupted player might send a value to another player and then deny that the 
value was sent by him. To deal with such behavior, we need a mechanism which binds a 
player to the messages he sends. In IIRBX9llcbD + 99llBHR()7l the Information Check- 
ing (IC) method was developed for this purpose, and used to design unconditionally 
secure protocols tolerating up to t < n/2 active cheaters. In this section, we extend the 
IC method to the setting of general adversaries with active, passive, and fail-corruption. 

The IC-authentication scheme involves three players, a sender p s , a recipient p r , and 
a verifier^, and consists of three protocols, called IC-Setup, IC-Distr, and IC-Reveal. 
Protocol IC-Distr allows p s to send a value v to p r in an authenticated way, so that p r 
can, by invoking IC-Reveal, open v to p v and prove that v was received from p s . Both 
IC-Distr and IC-Reveal assume a secret key a known exclusively to p s and p v (but not 
to p r ). This key is generated and distributed in IC-Setup. Note that the same key can be 
used to authenticate multiple messages. 

Informally, the three protocols can be described as follows: In IC-Setup, p s generates 
a uniformly random key a and sends it to p v over the bilaterally secure channel. In 
IC-Distr, a is used to generate an authentication tag y and a verification tag z for the 
sent value v. The values (v, y) and z are given to p r and p v , respectively. In IC-Reveal, 
p r sends (v, y ) to p v , who verifies that (y, z) is a valid authentication/verification-tag 
pair for v with key a. 

Ideally, an IC-authentication scheme should have the following properties: (1) Any 
value sent with IC-Distr is accepted in IC-Reveal, (2) in IC-Distr, p v gets no information 
on v, and (3) only values sent with IC-Distr are accepted in IC-Reveal. However, these 

2 As the adversary structure might be exponentially large, our protocols’ worst case running 
time can be exponential in the size of the player set. However, this is the best complexity one 
can hope to achieve for a protocol that tolerates any adversary structure HHMfi OI. 
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properties cannot be (simultaneously) perfectly satisfied. In fact. Property 3 can only be 
achieved with negligible error probability, as the adversary might guess an authentica- 
tion tag y' for a v' ^ v. Moreover, it can only be achieved when neither p s nor p v is 
passively corrupted, since otherwise the adversary knows a and z. 

In our IC-authentication scheme the key a is chosen uniformly at random from F and 
the value v is also from F. The authentication and verification tags, y and z, respectively, 
are such that for some degree-one polynomial «;(■) over F, iu(0) = v, w(l) = y, and 
w(ot) = z. In other words, (y. z) is a valid IC-pair if z = (y — v)a + v. Defining 
validity this way gives the IC-authentication scheme an additional linearity property. 
In particular, if (y, z ) and (1/ , z') are valid IC-pairs for v and v', respectively, (for the 
same a) then (y + y',z + z') is a valid IC-pair for v + v'. This implies that when 
some values have been sent with IC-Distr, then p r and p v can, without any interaction, 
compute valid authentication data for any linear combination of those values. 

Due to space restrictions, the detailed description of the protocols I C-Setu p, IC-Distr, 
and IC-Reveal, as well as the proof of the following lemma are deleted from this ex- 
tended abstract. 

Theorem 1. Our IC-authentication scheme has the following properties. Correctness: 
When IC-Distr succeeds p r learns a value v', where v' = v unless p s is actively cor- 
rupted. IC-Distr might abort only when p s is incorrect. Completeness: //IC-Distr suc- 
ceeds and p r is correct then in IC-Reveal p v accepts v'. Privacy: IC-Distr leaks no 
information on v to any player other than p r . Unforgeability: When neither p s nor p v 
is passively corrupted, and the protocols IC-Distr and IC-Reveal have been invoked at 
most polynomially many times, then the probability that an adversary actively corrupt- 
ing p r makes p v accept some v' which was not sent with IC-Distr is negligible. 

General IC-signatures. An IC-authentication scheme allows a sender pi £ V to send 
a value v to a recipient Pj £ V, so that p 3 can later prove authenticity of v, but only 
towards a dedicated verifier pk £ V. In our protocols we want to use IC-authentication 
as a mechanism to bind the sender p^ to the messages he se nds to p 7 , s o thatp, can prove 
to every pk £ V that these messages originate from p, : . In 1C.DD+99I . the IC-signatures 
where introduced for this purpose. These can be seen as semi “digital signatures” with 
information theoretic security. They do not achieve all properties of digital signatures, 
but enough to guarantee the security of our protocols. 

The protocols used for generation and verification of IC-signatures are called 
ICS-Sign and ICS-Open, respectively. ICS-Sign allows a player p^ £ V to send a value v 
to pj £ V signed with an IC-signature. The idea is the following: for each pk £ V, Pi in- 
vokes IC-Distr to sendu to Pj with pk being the verifier, where p 3 checks that he receives 
the same v in all invocations. As syntactic sugar, we denote the resulting IC-signature by 
(Tij(v). The idea in ICS-Open is the following: p 3 announces v and invokes IC-Reveal 
once for each pk £ V being the verifier. Depending on the outcomes of IC-Reveal the 
players decide to accept or reject v. As we want every p r £ V to be able to send mes- 
sages with ICS-Sign, we need a secret-key setup, where every Pi,Pk £ V hold a secret 
key Qi.fc. Such a setup can be easily established by appropriate invocations of IC-Setup. 

The decision to accept or reject in ICS-Open has to be taken in a way which ensures 
that valid signatures are accepted (completeness), and forged signatures are rejected 
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with overwhelming probability (unforgeability). To guarantee completeness, a signature 
must not be rejected when only actively corrupted players rejected in IC-Reveal. Hence, 
the players cannot reject the signature when there exists a class (Aj , Ej ,Fj ) G Z such 
that all rejecting players are in Aj. Along the same lines, to guarantee unforgeability, 
the players cannot accept the signature when there exists a class (A*, Ei, Fi ) e Z such 
that all accepting players are in Ei. To make sure that the above two cases cannot simul- 
taneously occur, we require Z to satisfy the following property, denoted as Cj c (V. Z): 

C ic (V, Z) V(At, Ei,Fi), (Aj,Ej, Fj) € Z : Ek U Aj U (F t n Fj)^P 

We refer to the full version of this paper for a detailed description of the protocols 
ICS-Sign and ICS-Open and for a proof of the following lemma. 

Lemma 1. Assuming that C IC (V,Z) holds, our IC-signatures scheme has the follow- 
ing properties. Correctness: When ICS-Sign succeeds, thenp r learns a value v', where 
v' = v unless p s is actively corrupted. ICS-Sign might abort only when p s is incorrect. 
Completeness: If ICS-Sign succeeds and p r is correct then in ICS-Open all players 
accept v'. Privacy: ICS-Sign leaks no information on v to any player other than p r . 
Unforgeability: When p s is not passively corrupted, and the protocols ICS-Sign and 
ICS-Open have been invoked at most polynomially many times, then the probability 
that an adversary actively corrupting Pj can make the players accept some v' which 
was not sent with ICS-Sign is negligible. 

Linearity of IC-signatures. The linearity property of the IC-authentication scheme is 
propagated to the IC-signatures. In particular, when some values have be sent by pi to 
Pj with ICS-Sign (using the same secret keys), then the players can locally, i.e., without 
any interaction, compute pfs signature for any linear combination of those values, by 
applying the appropriate linear combination on the respective signatures. This process 
yields a signature which, when pj is correct, will be accepted in ICS-Open. 

4 Tools - Subprotocols 

In this section we describe sub-protocols that are used as building blocks for MPC and 
SFE protocols. Some of the sub-protocols are non-robust, i.e., they might abort. When 
they abort then all (correct) players agree on a non-empty set B C V of incorrect play- 
ers. The sub-protocols use IC-signatures to authenticate the sent values, therefore their 
security relies on the security of the IC-signatures. In particular, the security of the sub- 
protocols is guaranteed only when no signature is forged^ The secret-key setup, which 
is required for the IC-signatures, is established in a setup phase, before any of the sub- 
protocols is invoked. Due to space restrictions the security proofs and even the detailed 
descriptions of some of the sub-protocols are deleted from this extended abstract. 

4.1 Share and Reconstruct 

A secret- sharing scheme allows a player (called the dealer) to distribute a secret so that 
only qualified sets of players can reconstruct it. As secret-sharing scheme we employ a 

3 We use the term “forge” only for signatures corresponding to non-passively corrupted signers. 
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sum-sharing, i.e., the secret is split into summands that add up to the secret, where each 
summand might be given to several players. Additionally, for each summand all the 
players who hold it bilaterally exchange signatures on it. The sharing is characterized 
by a vector S = (S %, . . . , S m ) of subsets of V, called the sharing specification. A 
value s is shared according to S if there exist summands si, . . . , s m G F such that 
s k = s, and for each k = 1 ,m every pj € Sk holds Sk along with IC- 
signatures on it from every pi G Sk- As syntactic sugar, we denote by <rs(s) the set of 
all IC-signatures on the summands si , . . . , s m held by the players. For each pj G V the 
vector (s)j = ( Sj x , . . . . Sj t ) is considered to be pfi s share of s, where Sj x ,.. . , Sj e are 
the summands held by pj. The vector of all shares and the attached signatures, denoted 
as ( s ) = ((s)i,...,(s) n ,os(s)) , is a sharing of s. The vector of summands in (s) is 
denoted as [s] = (si, . . . , s m ). We say that (s) is a consistent sharing of s according 
to S if for each k = 1 , . . . , m all (correct) players in Sk have the same view on the 
summands Sk and hold signatures on it from all other players in Sk, and J2T=i Sk = s - 

For an adversary structure Z, we say that a sharing specification S is Z -private if 
for any sharing (s) according to S and for any adversary in Z, there exists a sum- 
mand Sk which this adversary does not know. Formally, S is iT -private if M(A,E,F) G 
Z 3 S' G S : S F\ E = 00 For an adversary structure Z with maximal classes 
Z = {(•. Ei, ( ■ . E rn , ■)}, we denote the natural ^-private sharing specification 

by S z = (V\Ei,...,V\E m ). 

Protocol Share (see below) allows a dealer p to share a value s among the players in 
V according to a sharing specification S. The protocol is non-robust and might abort 
with a set B C V of incorrect players. 


Protocol Share("P, Z, S, p , s) 

1. Dealer p chooses summands S2, ■ ■ ■ , S|5 randomly and sets si := s — s k- 

2. For k = 1, . . . , |«S| the following steps are executed: 

(a) p sends Sk to each pj G S k . 

(b) For each p* , pj G S k : ICS-Sign (V,Z,pi,pj,s k ) is invoked to have p t send 
Sk to pj and attach an IC-signature on it. If I CS-Sign aborts, then Share aborts 
with B := {pi}. 

(c) Each pj G Sk broadcasts a complaint bit b, where b = 1 if pj received a _L 
instead of Sk in Step 2a, or if he received some s' k s k from some p t in 
Step 2b, and b = 0 otherwise. 

(d) If a complaint was reported p broadcasts s k and the players in S k create 
default signatures on it. If p broadcasts _L then Share aborts with set B := 

M- 


Lemma 2. IfS is a Z-private sharing specification, then protocol Share('P, Z,S,p, s) 
has the following properties. Correctness: It either outputs a consistent sharing of s' 
according to S, where s' = s unless the dealer p is actively corrupted, or it aborts with 


Recall that for all (A,E,F) eZ : AC E. 


M. Hirt, U. Maurer, and V. Zikas 


a non-empty set B C V of incorrect players. Privacy: No information about s leaks to 
the adversary. 

Reconstructing a shared value s is straightforward: The summands are announced one 
by one, and s is computed as the sum of the announced summands. To announce a 
summand Sk, each p t £ Sk broadcasts Sk and opens all the signatures on Sk which 
he holds (i.e., the signatures on s/- from all players in Sk). If all the signatures an- 
nounced by pi are accepted, then the value he announced is taken for Sk- If no Pi £ Sk 
correctly announces all the signatures the announcing aborts with B := Sk- Protocols 
PubAnnounce and PubReconstruct invoked to publicly announce a summand and to 
publicly reconstruct a shared value are given in details in the full version of this paper. 
In the following two lemmas (also proved in the full version) we state their security. 

Lemma 3. Assume that C lc {V. Z) holds, the condition V(A,E,F) £ Z : Sk f E 
holds, and no signature is forged. Then protocol PubAnnounce either publicly an- 
nounces the correct summand Sk, or it aborts with a non-empty set B of incorrect 
players. It might abort only if Sk C F*. 

Lemma 4. Assume that C lc (V , Z) holds, the condition VS £ S, 
V(A, E, F) £ Z : S E holds, { s ) is a consistent sharing according to S, and 
no signature is forged. Then protocol PubReconstruct either publicly reconstructs s, 
or it aborts with a non-empty set B C V of incorrect players. 

Protocol PubReconstruct allows for public reconstruction of a shared value. However, 
in some of our protocols we need to reconstruct a shared value s privately, i.e., only 
towards some dedicated output player p. Such a private reconstruction protocol can be 
built using standard techniques (p shares a one-time pad used for perfectly blinding the 
output). We refer to the protocol for private reconstruction as Reconstruct, and point 
to the full version of this paper for a detailed description as well as for a proof of the 
following lemma. 

Lemma 5. Assume that C IC (V,Z) holds, S is a Z-private sharing specification, the 
condition VS £ S,V(-, E,-) £ Z : S % E holds, (s) is a consistent sharing according 
to S, and no signature is forged. Then protocol Reconstruct (V,Z,S,p, ( s )) has the 
following properties. Correctness: Either it reconstructs s towards p, or it aborts with 
a non-empty set B C V of incorrect players. Privacy: No information about ( s ) leaks 
to the adversary. 

Addition. Due to the linearity of our secret sharing scheme, the players can locally 
compute a sharing of the sum of two shared values s and t as follows: each player adds 
his shares of s and t, and the corresponding signatures are also (locally) added. We refer 
to this sub-protocol as Add. 

4.2 Multiplication 

The goal of this section is to design a protocol for securely computing a sharing of 
the product of t wo shared values. Our approach combines techniques from IIGRR98I 
Mau02, Mau06 BFH+08]. 
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At a high level, the multiplication protocol for two shared values s and t works 
as follows: As s and t are already shared, we can use the summands si, . . . , s m and 
ti, . . . , t m to compute the product as st = YlTt=i s kt(- For each term x k ,g = s k tg, we 
have a player p^ k ^> G (S k D Sg) share x k ,g and prove that he shared the correct value. 
The sharing of st is computed as the sum of the sharings of the terms x k ,g. 

For g (Sk Cl Sg) to share s k tg and prove that he did so properly the idea is 
the following: First, shares s k tg by invoking Share. Denote by x' k t the shared 
value0 Next, p( k ’ e l shares the summands s k and tg by a protocol, called SumShare, 
which guarantees that he shares the correct summands. Finally, j/ k - fk) uses the sharings 
of Sk, tg, and x' ke in a protocol, called MultProof, which allows him to prove that 
x' k ( = s k tg. In the following we discuss the sub-protocols SumShare and MultProof, 
and then give a detailed description of the multiplication protocol. 

Protocol SumShare (see full version) allows a player p G S k to share a summand s k 
of a sharing (s) according to S, where S k G S. The sharing specification of the output 
sharing can be some S' ^ S. In contrast to Share, protocol SumShare guarantees thatp,; 
shares the correct value Sk ■ The idea is to have p share s k , by Share, and then reconstruct 
the sharing (privately) towards each pj G S k who publicly approves or disapproves it. 
We refer to the full version of this paper for a proof of the following lemma. 

Lemma 6. Assume that C lc (V,Z) holds, S' is a Z -private sharing specification, the 
conditions G Z : S k g E and VS" G S' V(-, E, ■) G Z : S' % E 

hold, and no signature is forged. Then SumShare('P, Z,S', S k ,p , s k ) has the following 
properties. Correctness: Either it outputs a consistent sharing of s k (p also outputs the 
vector [sfc] of summands) according to S', or it aborts with a non-empty set B C V of 
incorrect players. Privacy: No information about s k leaks to the adversary. 

Protocol MultProof (see full version) allows a player p, called the prover, who has 
shared three values a, b, and c (and knows the corresponding vectors [o], [b], and [c] of 
summands) to prove that c = ab. The protocol can be seen as a distributed challenge- 
response protocol with prover p and verifier being all the players in V. On a high level, it 
can be described as follows: First p shares some appropriately chosen values. Then the 
players jointly generate a uniformly random challenge r and expose it, and p answers 
the challenge. If p’s answer is consistent with the sharings of a, b, and c and the sharings 
which he created in the first step, then the proof is accepted otherwise it is rejected. 
MultProof is non-robust and might abort with a set B C V of incorrect players. The 
proof of the following lemma is deleted from this extended abstract. 

Lemma 7. Assume that C lc (V,Z) holds, S is a Z-private sharing specification, the 
conditionfS G <S, V(-, E, •) G Z : S % E holds, (a),(b), and ( c ) are consistent 
sharings according to S, and no signature is forged. Then the protocol MultProof has 
the following properties. Correctness: If c = ab, then either the proof is accepted or 
MultProof aborts with a non-empty set B C V of incorrect players. Otherwise (i.e, 
if c ab), with overwhelming probability, either the proof is rejected or MultProof 
aborts with a non-empty set B C. V of incorrect players. Privacy: No information 
about (a), (b), and (c) leaks to the adversary. 

5 Note that Share does not guarantee that x! k i = s k tg. 
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For completeness, we describe the multiplication protocol Mult (see below), which 
allows to compute a sharing of the product of two shared values. Mult is non-robust 
and might abort with a non-empty set B C V of incorrect players. When it succeeds, 
then with overwhelming probability it outputs a consistent sharing of the product. 


Protocol Z, S, (s), (t)) 

1 . For every {Sk , Sf) € SxS, the following steps are executed, where ji k -^ denotes 
the player in Sk D Si with the smallest index: 

(a) computes Xk,e := Skti and shares it, by Share. Denote by {xk,i) the 
resulting shari ngQ 

(b) SumSharef^P, Z,S,Sk, p( k ’® , Sk) andSumShare{V, Z,S, Si, p^^tf) are 
invoked. Denote by {si) and {ti) the resulting sharings. 

(c) Mu\xProoI{V , Z ,S ,p^ k ' l \ (sfc), {ti), (xk,e)) is invoked. If the proof is re- 
jected then Mult aborts with set B = 

2. A sharing of the product st is computed as the sum of the sharings {xk,i) by 
repeatedly invoking Add. 

3. If any of the invoked sub-protocols aborts with B, then also Mult aborts with B. 

“ In addition to his share of {xk,e), pQ 1 ’® also outputs the vector of summands [xkj:]. 


Lemma 8. Assume that C IC {V,Z ) holds, S is a Z-private sharing specification, the 
conditions V S G S,\/{-,E,-) G Z : S E and\/Sk,Si G S : Sk fl Si ^ 0 
hold, (s) and (t) are consistent sharings according to S, and no signature is forged. 
Then protocol MultfP, Z,S, (s), (t)) has the following properties except with negligi- 
ble probability. Correctness: It either outputs a consistent sharing ofst according to S 
or it aborts with a non-empty set B Cp of incorrect players. Privacy: No information 
about (s) and { t ) leaks to the adversary. 

4.3 Resharing 

In the context of MPC, we will need to reshare shared values according to a differ- 
ent sharing specification. To do that, each summand is shared by SumShare (see Sec- 
tion E3 according to the new sharing specification, and the players distributively add 
the sharings of the summands, resulting in a new sharing of the original value. A de- 
tailed description of the protocol Reshare as well as a proof of the following lemma can 
be found in the full version of this paper. 


Lemma 9. Assume that C 10 {V,Z) holds, S' is a Z-private sharing specification, the 
conditions MS G «SV(-, E,-) € Z : S % E, andVS' G S'V(-, E, ■) G Z : S' % E hold, 
and no signature is forged. Then Reshare('P, Z, S, S', (s)) has the following properties. 
Correctness: Either it outputs a consistent sharing ofs according to S', or it aborts with 
a non-empty set B C V of incorrect players. Privacy: No information about (s) leaks 
to the adversary. 
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5 (Reactive) Multi-party Computation 

In this section we prove the necessary and sufficient condition on the adversary structure 
Z for the existence of unconditionally (i.e., i.t. with negligible error probability) in- 
secure multi-party computation protocols, namely, we prove the following theorem: 

Theorem 2. A set V of players can unconditionally Z -securely compute any ( reactive) 
computation, if and only ifC m (V,Z) and C m (V,Z) hold, where 

C <2) {V,Z) <=> V(Ai, Ei, Fi), (Aj,Ej,Fj) : JE f U Ej U (F* n Fj) ? V 
C W {V,Z) f{Ai,Ei,Fi), (Aj,Ej,Fj) : EiUFj^P 

The sufficiency of the above condition is proved by constructing an MPC protocol for 
any given circuit C consisting of input, addition, multiplication, and output gatesQ The 
reactiveness of the computation is modeled by assigning to each gate a point in time 
when it should be evaluated. 

The circuit is evaluated in a gate-by-gate fashion, where for input, addition, mul- 
tiplication, and output gates, the corresponding sub-protocol Share, Add, Mult, and 
Reconstruct, respectively, is invoked. 

The computation starts off with the initial player set V and adversary structure Z, 
and with the sharing specification being S := Sz ■ Each time a sub-protocol aborts 
with set B of incorrect players, the players in B are deleted from the player set and 
from every set in the sharing specification, and the corresponding gate is repeated. Any 
future invocation of a sub-protocol is done in the updated player set V and sharing 
specification S', and with the updated adversary structure Z', which contains only the 
classes in Z compatible with the players in V \ V being incorrect. Note that, as the 
players in V \ V are incorrect, any sharing according to ( V,S ) can be transformed, 
without any interaction, to a sharing according to (V',S') by having the players delete 
all signatures of signers from V \ V . 

The delicate task is the multiplication of two shared values s and t. The idea is 
the following: First, we invoke Reshare to have both s and t shared according to the 
sharing specification Sz 1 , i.e., the specification associated with the structure Z' . Then 
we invoke Mult to compute a sharing of the product st according to Sz>, and at the end 
we invoke Reshare once again to have the product shared back to the initial setting (i.e, 
according to (V , S')). 

The security of the computation is guaranteed as long as no signature is forged. 
We argue that the forging probability is negligible. Observe that the total number of 
signatures in each sub-protocol invocation is polynomial in the input size; also, the 
total number of sub-protocol invocations is polynomial in the size of the circuit (since 
each time a sub-protocol aborts a new set B of incorrect players is identified, the total 
number of abortions is bounded by n). Hence, the total number of signatures in the 
computation is polynomial and, by the unforgeability property, the probability that a 
signature is forged is negligible. 

We use the following operators on adversary structures, which were introduced in 
iIrPH+OSII : For a set B C V, we denote by Z\ B ^ F the sub-structure of Z that contains 

6 This does not exclude probabilistic circuits, as a random gate can be simulated by having each 

player input a random value and take the sum of those values as the input. 
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only adversaries who can fail-corrupt all the players in B, i.e., Z\°^ F = {(^4, E. F) £ 
Z : B C F} , Furthermore, for a set V C V , we denote by Z \ v , the adversary structure 
with all classes in Z restricted to the player set V, i.e., Z\ v , = { (A nV.En V , F n 
V) : ( A , E, F) £ Z). We also use the same operator on sharing specifications with 
similar semantics, i.e., for S = (Si ..... S m ) we denote 5) = (S'-ifTP', .... S rn C\V). 
As syntactic sugar, we write Z |®r F for (Z | BSF ) \ v ,. 

It follows from the above definitions that when the players in V \ V have been 
detected to be incorrect, then the actual adversary Z * is in z\ v '' v ' QF . Furthermore, 
as the updated player set is V, the corresponding sharing specification and adversary 
structure are S' = S\ v , and Z' = Z\ F ) F QF , respectively. One can easily verify that 
the conditions C ,(2) and C (1) hold in {V , Z') when they hold in (V, Z). This results in 
protocol MPC (see below). 


Protocol M PC (V, Z, C) 

0. Initialize V := V, Z' := Z, and S' := Sz- 

1. For every gate to be evaluated, do the following: 

- Input gate for p: If p £ V invoke Share to have p share his input according 
to (V,S'). Otherwise, a default sharing of some pre-agreed default value is 
taken as the sharing of p’s input. 

- Addition gate: Invoke Add to compute a sharing of the sum according to S'. 

- Multiplication gate: Denote the sharings of the factors as (s) and (t), re- 
spectively, and the sharing specification corresponding to Z' as Sz 1 - In- 
voke Reshare(V, Z', S', Sz',{s}) and Rzs\\arz(V' ,Z' , S’ ,Sz',(t)) to ob- 
tain the sharings ( s )' and (t)' according to ( V',Sz ')> respectively. Invoke 
Mult('P / , Z' ,Sz', (s)' , (t)') to obtain a sharing (st)' of the product, accord- 
ing to ( V , Sz')- Invoke Reshare('P / , Z' , Sz' , S', (st)') to reshare this prod- 
uct according to (V , S'). 

- Output gate for p: If p £ V' invoke Reconstruct to have the output recon- 
structed towards p. 

2. If any of the sub-protocols aborts with set B, then update V := V \ B, set 
S' := S' \-p> and Z' := Z\ F } V QF and repeat the corresponding gate. 


Lemma 10. The protocol MPC is unconditionally Z-secure if C m (V,Z) and 
C W (V,Z) hold. 

To complete this section, we give two lemmas that imply that unconditionally secure 
(reactive) MPC is not possible for some circuits when C m (V,Z) or C (1> {V, Z) is 
violated. The proofs of the lemmas are deleted from this extended abstract. 

Lemma 11. IfC m (V, Z) is violated then there exist (even non-reactive) circuits which 
cannot be evaluated unconditionally Z -securely. 

Lemma 12. If C a) (V, Z) is violated, then the players cannot hold a secret joint state 
with unconditional security. 
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6 Secure Function Evaluation 


In this section we prove the necessary and sufficient condition on the adversary structure 
Z for the existence of unconditionally ^-secure function evaluation protocols. Note that 
the condition for SFE is weaker than the condition for MPC. 


Theorem 3. A set V of players can unconditionally Z -securely compute any function 
if and only ifC m (V, Z ) and Cord (’P- Z) hold, where 


C m (V,Z) ^ 
CoS (P,Z) <t=> 


V(Aj, Ei, Fi), (Aj.Ej, Fj) eZ: U%U (F t n F j ) + V 
(Ban ordering ((A^E^Ff), ( A m ,E m , F m )) ofZ s.t?_ 
\ fi,j G m}, i<j : EjllFi^V 


The sufficiency of the condition is pro ved by con structing an SFE protocol. Our ap- 
proach is similar to the approach from HBFH+081 : First all players share their inputs, 
then the circuit is evaluated gate-by-gate, and then the output is publicly reconstructed. 
However, our conditions do not guarantee robust reconstructibility. In fact, the adver- 
sary can break down the computation and cause all the sharings to be lost. As the circuit 
is non-reactive, we handle such an abortion by repeating the whole protocol, including 
the input gates. In each repetition, the adversary might choose new inputs for the ac- 
tively corrupted players. By ensuring that the adversary gets no information on any 
secrets unless the full protocol succeeds (including the evaluation of output gates), we 
make sure that she chooses these inputs independently of the other players’ inputs. 

Termination is guaranteed, by the fact that whenever the protocol aborts, a new set B 
of incorrect players is identified, and the next iteration proceeds without them. Hence, 
the number of iterations is bounded by n. This implies also that the total number of 
signatures in the computation is polynomial, hence the forging probability is negligible. 

Special care needs to be taken in the design of the output protocol. For simplicity, 
we describe the protocol for a single public output. Using standard techniques one can 
extend it to allow several outputs and, furthermore, private outputs. 

The idea of the output protocol is the following: First observe that the privacy of our 
sharing scheme is protected by a particular summand which is not given to the adver- 
sary. In fact, such a summand Sk is guaranteed to exist for each (Af.. ,Ek,Fk) £ Z by the 
.Z -privacy of the sharing specification Sz- As long as this summand is not published, an 
adversary of class ( Ak , Ek, F%) gets no information about the output (from the adver- 
sary’s point of view, Sk is a perfect blinding of the output, and all other summands s, are 
either known to the adversary or are distributed uniformly). Second, observe that when- 
ever the publishing of some summand Sk fails (i.e., PubAnnounce aborts), the players 
get information about the actual adversary (A*, E*,F*), namely that Sk C F*. The 
trick is to announce the summands in such an order, that if the announcing of a sum- 
mand Sk aborts, then from the information that Sk C F* the players can deduce that 
the summand associated with the actual adversary class has not been yet announced. In 
particular, if an adversary class Zi = (A i; E, , Fi ) could potentially abort the announc- 
ing of the summand Sk (i.e., if Sk C Fj), then the summand Sk should be announced 
strictly before Sj, i.e., the summand associated with Zi, is announced. 


7 Remember that Z denotes the maximum classes in Z. One can verify that such an ordering 
exists for Z exactly if it exists for Z. 
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Let ((Ai,Ei,Fi), . . . , (A rn , E rn . F m )) denote an ordering of the maximal struc- 
ture Z satisfying: VI < i < j < m : Ej U Fi ^ V, and let S denote the induced 
sharing specification S = (Si, . . . , S m ) with Sk = V\Ek. Then the protocol 
OutputGeneration (see below) either publicly reconstructs a sharing (s) according to S 
or it aborts with a non-empty set B C V of incorrect players. Privacy is guaranteed un- 
der the assumption that the summands of ( s ) not known to the adversary are uniformly 
distributed. As long as no signature is forged, this holds for all sharings in our protocols. 


Protocol OutputGeneration('P, Z, S = (Si, . . . , S m ), (s)) 

1. For k = 1, . . . , m, the following steps are executed sequentially. 

(a) PubAnnouncef'P, Z, Sk, Sk, &s k i s k)) is invoked to have the summand Sk 
published. 

(b) If PubAnnounce aborts with B, then OutputGeneration immediately aborts 
with B. 

2. Every pj G V (locally) computes s := ffJk-i s k and outputs s. 


Lemma 13. Assume that C ic ( V , Z) holds, S is a Z-private sharing specification con- 
structed as explained, the condition VS* G S, (•, E,-) e Z : Sk % E holds, (s) is 
a consistent sharing according to S with the property that those summands that are 
unknown to the adversary are randomly chosen, and no signature is forged. Then the 
protocol OutputGeneration either publicly reconstructs s, or it aborts with a non-empty 
set B C.V of incorrect players. //OutputGeneration aborts, then the protocol does not 
leak any information on s to the adversary. 

For completeness, we also include a detailed description of the SFE protocol (see be- 
low) and state its security in the following lemma. 


Protocol SFE (V,Z,C) 

0. Let S = (V \ Ei,...,V \ E m ) for the assumed ordering 
((A 1 ,E 1 ,F 1 ),...,(A m ,E m ,F m ))ofZ. 

1. Input stage: For every input gate in C, Share is invoked to have the input player 
Pi share his input Xi according to S0 

2. Computation stage: The gates in C are evaluated as follows: 

- Addition gate: Invoke Add to compute a sharing of the sum according to S. 

- Multiplication gate: Invoke M ult to compute a sharing of the product accord- 
ing to S. 

3. Output stage: Invoke OutputGeneration('P, Z, S, ( s )) for the sharing (s) of the 
public output. 

4. If any of the sub-protocols aborts with B, then set V := V \ B, and set Z to 
the adversary structure which is compatible with B being incorrect, i.e., Z := 
Z\%~ F , and go to Step 1. 


" If in a later iteration a player p, V F should give input, then the players in V pick the default 
sharing of a default value. 


MPC vs. SFE : Unconditional and Computational Security 


Lemma 14. The protocol SFE is unconditionally Z-secure if C m (V , Z) and 
CordCP, Z) hold. 

To complete the proof of Theorem 0 we need to show that unconditionally ^-secure 
SFE is not possible for some circuits when C (2) (V. Z) or C£rd('P> Z) is violated. The 
necessity of C m (V,Z) follows immediately from Lemma ITT! The following lemma 
states the necessity of Z). The idea of the proof is that when C^ D (V, Z) is 

violated then in any protocol evaluating the identity function, the adversary can break 
down the computation at a point where she has gained noticeable (i.e., not negligible) 
information about the output, although the correct players have only negligible infor- 
mation. For a more detailed proof the reader is referred to the full version of this paper. 

Lemma 15. If Cor D (V, Z) is violated, then there are functions that cannot be uncon- 
ditionally Z -securely evaluated. 

7 Computational Security 

In this section we show that conditions C w (V. Z) and CfH (V , Z) from Theorems [3 
and El are sufficient and necessary for the existence of computationally ^-secure MPC 
and SFE, respectively. 

Theorem 4. Assuming that enhanced trapdoor permutations exist, a set V of play- 
ers can computationally Z-securely compute any (reactive) computation (MPC) if 
and only if C (1) (V , Z) holds, and any non-reactive function (SFE) if and only if 
Cmo{T,Z) holds. 

The proof of necessity is very similar to the proofs of I ,emmaslT3andrRland. therefore, it is 
omitted. The sufficiency is proved by describing protocols that realize the corresponding 
primitive. Our approach is different than the one used in the previous sections. In partic- 
ular, first, we design a protocol for SFE and then use it to design a protocol for MPC. 

Note that the above bounds directly imply corresponding bounds for a threshold ad- 
versary who actively corrupts t a players, passively corrupts t p players, and fail-corrupts 
tf players, simultaneously. Using the notation from | Fll.M‘)8j, we say that a protocol is 
(t a , t p ,tf)-secure if it tolerates such a threshold adversary. 

Corollary 1. Assuming that enhanced trapdoor permutations exist, a set V of players 
can computationally (t a , t. p , tf)-securely compute any computation (reactive or not) if 
and only if2t a + t p + tf < \V\. 

7.1 The SFE Protocol 

Our approach to SFE uses ideas from IHKLP06I . The evaluation of the given circuit 
C proceeds in two stages, called the computation stage and the output stage. In the 
computation stage a uniformly random sharing of the output of C on inputs provided 
by the players is computed!! For this purpose we use the (non-robust) SFE protocol 

8 Without loss of generality (as in Section 0 we assume that the circuit C to be computed has 
one public output. 
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from Kjo104I for dishonest majority which achieves partial fairness and unanimous 
abort ESED3- In the output stage the sharing of the output is publicly reconstructed, 
along the lines of the reconstruction protocol from Sectional Both stages are non-robust 
and they might abort with a non-empty set B C V of incorrect players, but without 
violating privacy of the inputs. When this happens the whole evaluation is repeated 
among the players in V \ B, where the inputs of the players in B are fixed to a default 
pre-agreed value, and the adversary structure Z is reduced to the structure Z\°f^, i.e., 
the structure which is compatible with the players in B being incorrect. 

The secret-sharing scheme used here is similar to the one we use in the 
unconditional-security case. More precisely, the secret is split into uniformly random 
summands si, . . . , s m gF that add up to the secret, where each player might hold sev- 
eral of those summands, according to some sharing specification S = (Si , . . . , S m ). 
The difference is that the players do not hold signatures on their summands, but they 
are committed to them (towards all players) by a perfectly hiding commitment scheme 0 
In particular, for each summand Sk, all players hold a commitment to Sk such that each 
Pi £ Sk holds the corresponding decommitment information to open it. 

The computation stage. In the computation stage, instead of C we evaluate the cir- 
cuit C' which computes a uniformly random sharing (y) of the output y of C ac- 
cording to Sz, i.e., the sharing specification associated with Z. The circuit C' can be 
easily constructed from C |1KI.P06|. To evaluate C' the players invoke the protocol for 
SFE from IK io 1041 for the model where authenticated broadcast channels (but no bilat- 
eral point-to-point channels) are given, which tolerates any number of t < n actively 
corrupted players. As proved in EEHE1, with this protocol we achieve the following 
properties: There is a p £ V (specified by the protocol), such that when p is uncor- 
rupted the circuit C' is securely evaluated, otherwise the adversary can decide either to 
make all players abort the protocol or to allow C' to be securely evaluated. Note that 
the adversary can decide whether or not the protocol aborts even after having received 
the outputs of the passively corrupted players. Furthermore, by inspecting the protocol 
in Kiol()4l . one can verify that it actually satisfies some additional properties, which are 
relevant when all three corruption types are considered, namely (1) if p is correct then 
the protocol does not abort (2) a correct player always gives his (correct) input to the 
evaluation of C ' , and (3) a non-actively corrupted player does not give a wrong input 
(but might give no input if he crashes). By the above properties it is clear that the proto- 
col can abort only if p is incorrect (i.e., B = {p}). Moreover, when it aborts privacy of 
the inputs is not violated as the outputs of passively corrupted players are their shares 
of ( y } plus perfectly hiding commitments to all the summands of (y). 

The output stage. The output stage is similar to the output stage of protocol SFE 
described in Section 0 The summands of (y) are announced sequentially in the order 
implied by Cord (V. Z). This guarantees (as in protocol OutputGeneration) that when 
the announcing of a summand aborts, then the output stage can abort without violating 

9 Such commitment schemes are known to exist if (enhanced) trapdoor permutations ex- 
ist I0MWH1- 

10 Note that a correct player is not necessary uncorrupted. 
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privacy (the summand of (y) associated with the actual adversary has not been an- 
nounced yet). To announce a summand, protocol CompPubAnnounce is invoked which 
is a trivially modified version of PubAnnounce to use openings of commitments instead 
of signatures. We refer to the abovely described SFE protocol as CompSFE. 

Lemma 16. Assuming that enhanced trapdoor permutations exist, the protocol 
CompSFE is computationally Z-secure if C^ D (V. Z) holds. 

7.2 The MPC Protocol 

A protocol for MPC can be built based on a (robust) general SFE protocol and a robustly 
reconstructible secret- sharing scheme, in a straightforward way: the SFE protocol is 
used to securely evaluate the circuit gate-by-gate, where each intermediary result is 
shared among the players. In fact, the secret-sharing scheme described is Section ITT1 
for sharing specification Sz, is robustly reconstructible if C W (V,Z) holds. Indeed, 
condition C (1) (V, Z) ensures that for any shared value each summand is known to at 
least one player who is not actively or fail-corrupted and will not change or delete it. 
Hence, the shared value is uniquely determined by the views of the players. Therefore, 
we can use protocol CompSFE to evaluate any (reactive) circuit as follows: For each 
input gate, invoke CompSFE to evaluate the circuit Cm put which computes a sharing 
(according to Sz) of the input value. For the addition and multiplication gate, invoke 
CompSFE to evaluate the circuits C a dd and C mu it which on input the sharings of two 
values s and t output a sharing of the sum s + t and of the product st, respectively. For 
output gates, invoke CompSFE to evaluate the circuit C 0 utput which on input the sharing 
of some value s outputs s towards the corresponding player. We refer to the resulting 
MPC protocol as CompM PC. 

Lemma 17. Protocol CompM PC is computationally Z-secure if'C (1) {V ,Z) holds. 

8 Conclusions 

We considered MPC and SFE in the presence of a general adversary who can actively, 
passively, and fail corrupt players, simultaneously. For both primitives we gave exact 
characterizations of the tolerable adversary structures for achieving unconditional (aka 
statistical) and computational security, when a broadcast channel is given. As in the case 
of threshold adversaries, the achieved bounds are strictly better than those required for 
perfect security, where no error probability is allowed. Our results confirm that in all 
three security models (perfect, unconditional, and computational) there are adversary 
structures that can be tolerated for SFE but not for MPC. 
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Abstract. Strongly multiplicative linear secret sharing schemes (LSSS) 
have been a powerful tool for constructing secure multi-party computa- 
tion protocols. However, it remains open whether or not there exist effi- 
cient constructions of strongly multiplicative LSSS from general LSSS. In 
this paper, we propose the new concept of 3 - multiplicative LSSS, and es- 
tablish its relationship with strongly multiplicative LSSS. More precisely, 
we show that any 3-multiplicative LSSS is a strongly multiplicative LSSS, 
but the converse is not true; and that any strongly multiplicative LSSS 
can be efficiently converted into a 3-multiplicative LSSS. Furthermore, 
we apply 3-multiplicative LSSS to the computation of unbounded fan-in 
multiplication, which reduces its round complexity to four (from five of 
the previous protocol based on multiplicative LSSS). We also give two 
constructions of 3-multiplicative LSSS from Reed-Muller codes and alge- 
braic geometric codes. We believe that the construction and verification 
of 3-multiplicative LSSS are easier than those of strongly multiplicative 
LSSS. This presents a step forward in settling the open problem of effi- 
cient constructions of strongly multiplicative LSSS from general LSSS. 

Keywords: monotone span program, secure multi-party computation, 
strongly multiplicative linear secret sharing scheme. 


1 Introduction 

Secure multi-party computation (MPC) jl lilbj is a cryptographic primitive that 
enables n players to jointly compute an agreed function of their private inputs 
in a secure way, guaranteeing the correctness of the outputs as well as the pri- 
vacy of the players’ inputs, even when some players are malicious. It has become 
a fundamental tool in cryptography and distributed computation. Linear se- 
cret sharing schemes (LSSS) play an important role in building MPC protocols. 
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Cramer et al. |Sj developed a generic method of constructing MPC protocols from 
LSSS. Assuming that the function to be computed is represented as an arith- 
metic circuit over a finite field, their protocol ensures that each player share his 
private input through an LSSS, and then evaluates the circuit gate by gate. The 
main idea of their protocol is to keep the intermediate results secretly shared 
among the players with the underlying LSSS. Due to the nature of linearity, 
secure additions (and linear operations) can be easily achieved. For instance, 
if player P t holds the share Xu for input x\ and x%i for input X2, he can lo- 
cally compute X\i + x?i which is actually Pi s share for x\ + x^- Unfortunately, 
the above homomorphic property does not hold for multiplication. In order to 
securely compute multiplications, Cramer et al. jOj introduced the concept of 
multiplicative LSSS, where the product X1X2 can be computed as a linear com- 
bination of the local products of shares, that is, X1X2 = a i x uX2i for some 
constants a*, 1 < i < n. Since xuX2i can be locally computed by Pi, the product 
can then be securely computed through a linear combination. Furthermore, in 
order to resist against an active adversary, they defined strongly multiplicative 
LSSS, where X1X2 can be computed as a linear combination of the local products 
of shares by all players excluding any corrupted subset. Therefore, multiplicativ- 
ity becomes an important property in constructing secure MPC protocols. For 
example, using strongly multiplicative LSSS, we can construct an error-free MPC 
protocol secure against an active adversary in the information-theoretic model 
0 . Cramer et al. 0 also gave an efficient reconstruction algorithm for strongly 
multiplicative LSSS that recovers the secret even when the shares submitted by 
the corrupted players contain errors. This implicit “built-in” verifiability makes 
strongly multiplicative LSSS an attractive building block for MPC protocols. 

Due to their important role as the building blocks in MPC protocols, efficient 
constructions of multiplicative LSSS and strongly multiplicative LSSS have been 
studied by several authors in recent years. Cramer et al. j 0 | developed a generic 
method of constructing a multiplicative LSSS from any given LSSS with a double 
expansion of the shares. Nikov et al. m studied how to securely compute multi- 
plications in a dual LSSS, without blowing up the shares. For some specific access 
structures there exist very efficient multiplicative LSSS. Shamir’s threshold se- 
cret sharing scheme is a well-known example of an ideal (strongly) multiplicative 
LSSS. Besides, self-dual codes give rise to ideal multiplicative LSSS [ZJ, and Liu 
et al. EH provided a further class of ideal multiplicative LSSS for some kind of 
graph access structure. We note that for strongly multiplicative LSSS, the known 
general construction is of exponential complexity. Kasper et al. EH gave some 
efficient constructions for specific access structures (hierarchical threshold struc- 
tures). It remains open whether there exists an efficient transformation from a 
general LSSS to a strongly multiplicative one. 

On the other hand, although in a multiplicative LSSS, multiplication can be 
converted into a linear combination of inputs from the players, each player has to 
reshare the product of his shares, that is, for 1 < i < n, Pi needs to reshare the 
product XuX2i to securely compute the linear combination Y^i=i a i x :n x 2i- This 
resharing process involves costly interactions among the players. For example, if 
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the players are to securely compute multiple multiplications, n!=i x ii the simple 
sequential multiplication requires interaction of round complexity proportional 
to l. Using the technique developed by Bar-Ilan and Beaver [I], Cramer et al. 
gj recently showed that the round complexity can be significantly reduced to a 
constant of five for unbounded fan-in multiplications. However, the method does 
not seem efficient when l is small. For example, considering x\X 2 and X 1 X 2 X 3 , 
extra rounds of interactions seem unavoidable for computing X 1 X 2 X 3 even though 
we apply the method of Cramer et al. 0 . 

1.1 Our Contribution 

In this paper, we propose the concept of 3-multiplicative LSSS. Roughly speak- 
ing, a 3-multiplicative LSSS is a generalization of multiplicative LSSS, where 
the product X 1 X 2 X 3 is a linear combination of the local products of shares. As 
one would expect, a 3-multiplicative LSSS achieves better round complexity for 
the computation of n!=i x i compared to a multiplicative LSSS, if l > 3. Indeed, 
it is easy to see that computing the product Hi=i x i requires two rounds of in- 
teraction for a 3-multiplicative LSSS but four rounds for a multiplicative LSSS. 
We also extend the concept of a 3-multiplicative LSSS to the more general A- 
multiplicative LSSS, for all integers A > 3, and show that A-multiplicative LSSS 
reduce the round complexity by a factor of from multiplicative LSSS. In 
particular, 3-multiplicative LSSS reduce the constant round complexity of com- 
puting the unbounded fan-in multiplication from five to four, thus improving a 
result of Cramer et al. 0. 

More importantly, we show that 3-multiplicative LSSS are closely related to 
strongly multiplicative LSSS. The latter is known to be a powerful tool for 
constructing secure MPC protocols against active adversaries. More precisely, 
we show the following: 

(i) 3-multiplicative LSSS are also strongly multiplicative; 

(ii) there exists an efficient algorithm that transforms a strongly multiplicative 
LSSS into a 3-multiplicative LSSS; 

(iii) an example of a strongly multiplicative LSSS that is not 3-multiplicative. 

Our results contribute to the study of MPC in the following three aspects: 

— The 3-multiplicative LSSS outperform strongly multiplicative LSSS with re- 
spect to round complexity in the construction of secure MPC protocols. 

— The 3-multiplicative LSSS are easier to construct than strongly multiplica- 
tive LSSS. First, the existence of an efficient transformation from a strongly 
multiplicative LSSS to a 3-multiplicative LSSS implies that efficiently 
constructing 3-multiplicative LSSS is not a harder problem. Second, veri- 
fication of a strongly multiplicative LSSS requires checking the linear com- 
binations for all possibilities of adversary sets, while the verification of a 
3-multiplicative LSSS requires only one checking. We give two constructions 
of LSSS based on Reed-Muller codes and algebraic geometric codes that can 
be easily verified for 3-multiplicativity, but it does not seem easy to give 
direct proofs of their strong multiplicativity. 
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— This work provides two possible directions toward solving the open problem 
of determining the existence of efficient constructions for strongly multiplica- 
tive LSSS. On the negative side, if we can prove that in the information- 
theoretic model and with polynomial size message exchanged, computing 
X 1 X 2 X 3 inevitably needs more rounds of interactions than computing X 1 X 2 , 
then we can give a negative answer to this open problem. On the positive 
side, if we can find an efficient construction for 3-multiplicative LSSS, which 
also results in strongly multiplicative LSSS, then we will have an affirmative 
answer to this open problem. 

1.2 Organization 

Section Ogives notations, definition of multiplicative LSSS, and general construc- 
tions for strongly multiplicative LSSS. Section 0 defines 3-multiplicative LSSS. 
Section0shows the relationship between 3-multiplicative LSSS and strongly mul- 
tiplicative LSSS. Section 0 gives two constructions of 3-multiplicative LSSS from 
error-correcting codes, and Section Odiscusses the implications of 3-multiplicative 
LSSS in MPC. Section Q concludes the paper. 

2 Preliminaries 

Throughout this paper, let P = (Pi, . . . ,P n } denote the set of n players and 
let 1C be a finite field. In a secret sharing scheme, the collection of all subsets 
of players that are authorized to recover the secret is called its access structure, 
and is denoted by AS. An access structure possesses the monotone ascending 
property: if A' G AS, then for all A C P with A D A', we also have A G AS. 
Similarly, the collection of subsets of players that are possibly corrupted is called 
the adversary structure, and is denoted as A. An adversary structure possesses 
the monotone descending property: if A' G A, then for all A C P with A C A', 
we also have A G A. Owing to these monotone properties, it is often sufficient 
to consider the minimum access structure AS m i n and the maximum adversary 
structure A ma x defined as follows: 

AS m in = {Ag AS \ VB C p, we have BCA^Bg AS}, 

Amax = {A G A I VB C p, we have B D A => B £ A}. 

In this paper, we consider the complete situation, that is, A = 2 P —AS. Moreover, 
an adversary structure A is called Q 2 (respectively, Q 3 ) if any two (respectively, 
three) sets in A cannot cover the entire player set P. For simplicity, when an 
adversary structure A is Q 2 (respectively, Q 3 ) we also say the corresponding 
access structure AS = 2 P — A is Q 2 (respectively, Q 3 ). 

2.1 Linear Secret Sharing Schemes and Monotone Span Programs 

Suppose S is the secret-domain, R is the set of random inputs, and 6} is the 
share-domain of Pi, where 1 < i < n. Let S and R denote random variables 
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taking values in S and R, respectively. Then 77 : S X R — > Si X • • • x S n is called 
a secret sharing scheme (SSS) with respect to the access structure AS, if the 
following two conditions are satisfied: 

1. for all A e AS, H( S | 77(S, R)|a) = 0; 

2. for all B AS, 77( S | 77(S, R)| s ) = H( S), 

where 77 (• ) is the entropy function. Furthermore, the secret sharing scheme 77 is 
called linear if we have S = JC, R = K}~ x , and Si = IC di for some positive integers 
l and di, 1 < i < n, and the reconstruction of the secret can be performed by 
taking a linear combination of shares from the authorized players. The quantity 
d = £:=i di is called the size of the LSSS. 

Karchmer and Wigderson introduced monotone span programs (MSP) 
as a linear model for computing monotone Boolean functions. We denote an 
MSP by M.(K,,M,ip,v), where M is a d X l matrix over 1C, ip : (1, . . . ,d} — > 
{Pi, . . . ,P n } is a surjective labeling map, and v £ K. 1 is a nonzero vector. We 
call d the size of the MSP and v the target vector. A monotone Boolean function 
/ : { 0 , 1}" — > { 0 , 1} satisfies f(6') > f(6) for any 6' > 6, where 6 — {£l, . . . , 6 n ), 
S' = (S[, . . . ,6' n ) e {0,1}", and S' > 6 means 8[ > Si for 1 < i < n. We 
say that an MSP M.{lC,M,ip,v) computes the monotone Boolean function f if 
v e span {M a} if and only if /(d A ) = 1, where A is a set of players, M A denotes 
the matrix constricted to the rows labeled by players in A, span{MA} denotes 
the linear space spanned by the row vectors of M a , and 6a is the characteristic 
vector of A. 

Theorem 1 (Beimel J2| ) . Suppose AS is an access structure over P and f as 
is the characteristic function of AS, that is, fAs{S) = 1 if and only if 6 = 6 a 
for some A e AS. Then there exists an LSSS of size d that realizes AS if and 
only if there exists an MSP of size d that computes $as ■ 

Since an MSP computes the same Boolean function under linear transformations, 
we can always assume that the target vector is ei = (1, 0, . . . , 0). From an MSP 
that computes /as, we can derive an LSSS realizing AS as 
follows: to share a secret s £ 7C, the dealer randomly selects p G computes 
M(s,p) T and sends M p. (s, p) T to P, as his share, where 1 < i < n and r 
denotes the transpose. The following property of MSP is useful in the proofs of 
our results. 

Proposition 1 (Karchmer and Wigderson flOj b Let M(IC, M,if,ei) be 
an MSP that computes a monotone Boolean function f. Then for all A C P, 
e\ £ span{MA} if and only if there exists p £ JC 1-1 such that Ma( 1, p) T = 0 r . 


2.2 Multiplicative Linear Secret Sharing Schemes 

From Theorem Q an LSSS can be identified with its corresponding MSP in the 
following way. Let A4(IC, M, ip, e \ ) be an LSSS realizing the access structure AS. 
Given two vectors x = (x\, . . . , xa), y = (yi , • ■ ■ , yd.) € we define xoy to 
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be the vector containing all entries of the form x t ■ yj with ip(i) = ip(j). More 
precisely, let 


X = (x\\, . . . ,X\ dn- ■ ■ - ,X n d n ), 

y = {yu ,:■■■, yich , • • • , Vni, • • • , y n dj, 

where di = d, and (xn , . . . , x mJ, (yu, . . . , yu , ) are the entries distributed 
to Pi according to ip. Then x o y is the vector composed of the Y^i = 1 d 2 entries 
Xijyik, where 1 < j, k < di, 1 < i < n. For consistency, we write the entries of 
x o y in some fixed order. We also define (x o y) T = x T o y T . 

Definition 1 (Multiplicativity). Let M(K,M,ij},e i) be an LSSS realizing 
the access structure AS over P. Then M is called multiplicative if there exists a 
recombination vector z e K£*= 1 di , such that for all s, s' G KL and p, p' e /C i_1 , 
we have 

ss' = z(M(s, p) T o M(s' , p'Y). 

Moreover, M. is strongly multiplicative if for all A £ A = 2 P — AS, is 
multiplicative, where M-j denotes the MSP M. constricted to the subset A = 
P-A. 

Proposition 2 (Cramer et al. |a|). Let AS be an access structure over P. 
Then there exists a multiplicative (respectively, strongly multiplicative) LSSS re- 
alizing AS if and only if AS is Q 2 (respectively, Q 3 ). 

2.3 General Constructions of Strongly Multiplicative LSSS 

For all Q 2 access structure AS, Cramer et al. j0| gave an efficient construction 
to build a multiplicative LSSS from a general LSSS realizing the same AS. It 
remains open if we can efficiently construct a strongly multiplicative LSSS from 
an LSSS. However, there are general constructions with exponential complexity, 
as described below. 

Since Shamir’s threshold secret sharing scheme is strongly multiplicative for 
all Q 3 threshold access structure, a proper composition of Shamir’s threshold 
secret sharing schemes results in a general construction for strongly multiplica- 
tive LSSS © . Here, we give another general construction based on multiplicative 
LSSS. 

Let AS be any Q 3 access structure and A4(fC, M, if, ei) be an LSSS realizing 
AS. For all A e A = 2 P — AS, it is easy to see that M-% realizes the restricted 
access structure AS-% = {B C A \ B e AS}. The access structure ASj is 
Q 2 over A because AS is Q 3 over A U A. Thus, we can transform M.-^ into a 
multiplicative LSSS following the general construction of Cramer et al. (Sj to 
obtain a strongly multiplicative LSSS realizing AS. The example in Section ED 
gives an illustration of this method. 

We note that both constructions above give LSSS of exponential sizes, and 
hence are not efficient in general. 
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3 3-Multiplicative and A-Multiplicative LSSS 

In this section, we give an equivalent definition for (strongly) multiplicative 
LSSS. We then define 3-multiplicative LSSS and give a necessary and sufficient 
condition for its existence. The notion of 3-multiplicativity is also extended to A- 
multiplicativity for all integer A > 1. Finally, we present a generic (but inefficient) 
construction of A-multiplicative LSSS. 

Under the same notations used in Section 2.2, it is straightforward to see that 
we have an induced labeling map ip' : (1, . . . , d 2 } — > (Pi, . . . , P n } on the 
entries of xoy, distributing the entry Xijyik to Pi, since both Xij and y,;/ c are 
labeled by Pi under ip. For an MSP _A4(/C, M, ip, ei), denote M = (Mi, . . . , Mi), 
where Mj £ JC d is the i-th column vector of M, 1 < i < l. We construct a new 
matrix M<> as follows: 

M 0 = (M 1 oM 1 , . . .,M 1 oM l ,M 2 oM 1 , . . .,M 2 oM t , . . . ,M t oM x , . . . ,M t oM t ). 

For consistency, we also denote M 0 as M o M. Obviously, M 0 is a matrix over 
/C with Y^i=i rows and l 2 columns. For any two vectors u, v £ K), it is easy 
to verify that 

(Mu T ) o (Mv T ) = M 0 (u ® v) T , 

where denotes the tensor product with its entries written in a proper order. 
Define the induced labeling map ip' on the rows of M 0 . We have the following 
proposition. 

Proposition 3. Let M.(K,,M,ip,e i) be an LSSS realizing the access structure 
AS, and let M <> be with the labeling map ip' . Then M. is multiplicative if and 
only if e\ £ span{Mo}, where e\ = (1,0, .. . ,0). Moreover, M. is strongly mul- 
tiplicative if and only if e\ £ span{(Mo)^-} for all A £ A = 2 P — AS. 

Proof. By Definition d M. is multiplicative if and only if ss' = z(M(s,p) T o 
M{s' , p'Y) for all s, s' £ 1C and p, p' £ K. l ~ l . Obviously, 

M(s, P y o M(s', p'Y = M 0 ((s, p) <g> (s', p')Y = MYss', p"Y , (1) 

where ( ss',p ") = (s,p) ® ( s’ ,p '). On the other hand, ss' = efyss', p") T ■ Thus 
M. is multiphcative if and only if 

(ei - zM<f){ss', p") T = 0. (2) 

Because of the arbitrariness of s,s',p and p' , equality (0 holds if and only if 
ei — zM 0 = 0. Thus ei £ span{M 0 }. The latter part of the proposition can be 
proved similarly. □ 

Now we are ready to give the definition of 3-multiplicative LSSS. We extend the 
diamond product “o” and define xoyoz to be the vector containing all entries 
of the form XiyjZk with ip{i) = ipij) = ip(k), where the entries of xoyoz are 
written in some fixed order. 
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Definition 2 (3-Multiplicativity). Let i) be an LSSS realiz- 

ing the access structure AS. Then A4 is called 3-multiplicative if there ex- 
ists a recombination vector z G such that for all Si . .s 2 , S3 € 1C and 

Pi,P2,P3 € we /iaue 

S1S2S3 = z{M(s 1 , pi) T o M(s 2 , P 2 Y O M(ss, pf) T ). 

We can derive an equivalent definition for 3-multiplicative LSSS, similar to 
Proposition C3 M. is 3-multiplicative if and only if e\ £ span{(M o M o M)} . The 
following proposition gives a necessary and sufficient condition for the existence 
of 3-multiplicative LSSS. 

Proposition 4. For all access structures AS, there exists a 3-multiplicative 
LSSS realizing AS if and only if AS is Q 3 . 

Proof Suppose M.(JC, M. ?/>, ei) is a 3-multiplicative LSSS realizing AS, and 
suppose to the contrary, that AS is not Q 3 , so there exist A\ , A 2 , A 3 £ A = 
2 P — AS such that A\ U A 2 U A 3 = P. By Proposition^ there exists pi £ K}~ x 
such that M Ai (l,Pi) T = 0 T for 1 < i < 3. Since A\ U A 2 U A 3 = P, we have 
M( 1 , pi) T o M( 1 , p 2 ) T o M(l, p:i) T = 0 T , which contradicts Definition El 

On the other hand, a general construction for building a 3-multiplicative LSSS 
from a strongly multiplicative LSSS is given in the next section, thus sufficiency 
is guaranteed by Proposition El □ 

A trivial example of 3-multiplicative LSSS is Shamir’s threshold secret sharing 
scheme that realizes any Q 3 threshold access structure. Using an identical argu- 
ment for the case of strongly multiplicative LSSS, we have a general construction 
for 3-multiplicative LSSS based on Shamir’s threshold secret sharing schemes, 
with exponential complexity. 

For any A vectors a q = (xn, . . . ,xa) G K. d , 1 < i < A, we define o^ =1 Xj to 
be the dAdimensional vector which contains entries of the form 3 ;^ 

with = ■■■ = 


Definition 3 (A-Multiplicativity). Let M (/C, M, if, ei) be an LSSS realizing 
the access structure AS, and let A > 1 be an integer. Then M. is A-multiplicative 
if there exists a recombination vector z such that for all si,...,s\ G K. and 
Pi, ■ ■ ■ , p\ G we have 

f[s i = z(ol 1 M(s i ,p i Y). 

i—l 

Moreover, M. is strongly A-multiplicative if for all A £ AS, the constricted LSSS 
is X-multiplicative. 

Again, we can define a new matrix by taking the diamond product of A copies 
of M. This gives an equivalence to (strongly) A-multiplicative LSSS. Also, since 
Shamir’s threshold secret sharing scheme is trivially A-multiplicative and 
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strongly A-multiplicative, a proper composition of Shamir’s threshold secret shar- 
ing schemes results in a general construction for both A-multiplicative LSSS and 
strongly A-multiplicative LSSS. Let Q x be a straightforward extension of Q 2 and 
Q 3 , that is, an access structure AS is Q x if the player set P cannot be covered 
by A sets in A = 2 P — AS. The following corollary is easy to prove. 

Corollary 1 . Let AS be an access structure over P. Then there exists a A- 
multiplicative (respectively, strongly A-multiplicative) LSSS realizing AS if and 
only if AS is Q x (respectively, Q x+1 ). 

Since a A-multiplicative LSSS transforms the products of A entries into a linear 
combination of the local products of shares, it can be used to simplify the secure 
computation of sequential multiplications. In particular, when compared to using 
only the multiplicative property (which corresponds to the case when A = 2), a 
A-multiplicative LSSS can lead to reduced round complexity by a factor of 
in certain cases. 

We also point out that Q x is not a necessary condition for secure computation. 
Instead, the necessary condition is Q 2 for the passive adversary model, or Q 3 for 
the active adversary model jOj- The condition Q x is just a necessary condition 
for the existence of A-multiplicative LSSS which can be used to simplify compu- 
tation. In practice, many threshold adversary structures satisfy the Q x condition 
for some appropriate integer A, and the widely used Shamir’s threshold secret 
sharing scheme is already A-multiplicative. By using this A-multiplicativity, we 
can get more efficient MPC protocols. However, since the special case A = 3 
shows a close relationship with strongly multiplicative LSSS, a fundamental tool 
in MPC, this paper focuses on 3-multiplicative LSSS. 

4 Strong Multiplicativity and 3-Multiplicativity 

In this section, we show that strong multiplicativity and 3-multiplicativity are 
closely related. On the one hand, given a strongly multiplicative LSSS, there is an 
efficient transformation that converts it to a 3-multiplicative LSSS. On the other 
hand, we show that any 3-multiplicative LSSS is a strongly multiplicative LSSS, 
but the converse is not true. It should be noted that strong multiplicativity, 
as defined, has a combinatorial nature. The definition of 3-multiplicativity is 
essentially algebraic, which is typically easier to verify. 

4.1 From Strong Multiplicativity to 3-Multiplicativity 

We show a general method to efficiently build a 3-multiplicative LSSS from a 
strongly multiplicative LSSS, for all Q 3 access structures. As an extension, the 
proposed method can also be used to efficiently build a (A + l)-multiplicative 
LSSS from a strongly A-multiplicative LSSS. 

Theorem 2. Let AS be a Q 3 access structure and A 4(/C, M, ip, ei) be a strongly 
multiplicative LSSS realizing AS. Suppose that M. has size d and \ip~ 1 (Pi)\ = di, 
for 1 < i < n. Then there exists a 3-multiplicative LSSS for AS of size 0(d 2 ). 
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Proof. We give a constructive proof. Let M© be the matrix defined in Section 0 
and ip ' be the induced labeling map on the rows of M©. Then we have an LSSS 
vVf 0 (/C, Mo, ip', ei) that realizes an access structure /16V Because M. is strongly 
multiplicative, by Proposition 0 we have e\ e span{(M <} )^} for all A qL AS. 
Therefore A g AS 1 * and it follows that AS* C AS©, where AS* denotes the dual 
access structure of AS, defined by AS* = {AC P \ P — AqL AS}. 

The equality (0 in the proof of Proposition0shows that the diamond product 
of two share vectors equals sharing the product of the two secrets by the MSP 
M 0 (IC, Mo, ip', ei), that is, 

(M{si, p'fy) o (M(s 2 , P 2 ) t ) = Mo(sis 2 ,p) T , for some p\ , p' 2 , p e 


Thus, using a method similar to Nikov et al. m, we can get the product (sis 2 )-S 3 
by sharing S 3 through the dual MSP of .Ad©, denoted by (.Ad©)*. Furthermore, 
since (.Ado)* realizes the dual access structure (AS©)* and (AS©)* V (AS*)* = 
AS, we can build a 3-multiplicative LSSS by the union of A4 and (.Ado)*, which 
realizes the access structure ASU (AS©)* = AS. Now following the same method 
of Cramer et al. and Fehr jti! 8 l , we prove the required result via the construction 
below. 

Compute the column vector no as a solution to the equation (M©) T u = e± T 
for v, and compute v\ ,... ,Vk as a basis of the solution space to (M©) T n = 0 T . 
Note that (M©) T n = eV is solvable because e\ e spari{ (M ( {)^} for all A £ AS, 
while (M«) T n = 0 T may only have the trivial solution v = 0 and k = 0. Let 


/ mu • • • mu \ 


mai ■ ■ ■ mdi 

\v 0 Vx -Vk) 


( mn • ■ ■ mu \ 

■ • . : = M and the blanks in M' denote zeros. Define a labeling 

m d 1 • ■ ■ m d i ) 

map ip" on the rows of M' which labels the first d rows of M' according to ip 
and the other YYi= 1 ( Y, rows according to ip'. 

As mentioned above, A4'()C, M' , ip", ei) obviously realizes the access structure 
AS. We now verify its 3-multiplicativity. 

Let N = (vo,v\, . . . ,Vk), a matrix over /C with rows an d k + 1 

columns. For Sj £ 1C and pi = ( p'. L , p'l ) G K}~ x x /C fc , 1 < i < 3, denote 
M'(si,pi) T = ( Ui,Wi) T , where uf = M(si,p' i ) T and wf = N(si,p") T . We 
have 

uf o uf = (M(si,p , 1 )' r )o(M(s 2 ,p , 2 ) r ) = Mo(sis 2 ,p) T , 
where (sis 2 ,p) = (si,Pi) ® (s 2 ,p 2 ). Then, 
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(mi«U 2 )-< = (S!S 2 , p)(Mo) t ■ N 


= (siS 2 ,p) 


\00 0 / 


/10 ■■■ 0 
00 0 



= S1S2S3- 


It is easy to see that (iii 01 x 2 ) ■ wf is a linear combination of the entries from 
(tti o M 2 ) o w 3 , and so is a linear combination of the entries from pi) T o 

M'(s 2 , p 2 ) T o M'(s 3 , p 3 ) T . 

Hence M.’ is a 3-multiplicative LSSS for AS 1 . Obviously, the size of M! is 


0(d 2 ), since d + d 2 < d 2 + d. 


□ 


If we replace the matrix M<> above by the diamond product of A copies of M, 
using an identical argument, the construction from Theorem [2| gives rise to a 
(A + l)-multiplicative LSSS from a strongly A-multiplicative LSSS. 

Corollary 2. Let AS be a Q x+1 access structure and M(lC,M,ip,e 1 ) be a 
strongly X-multiplicative LSSS realizing AS. Suppose the size of M. is d and 
|'0 -1 (P i )| = di, for 1 < i < n. Then there exists a (A + 1)- -multiplicative LSSS 
for AS of size 0(d x ). 

4.2 From 3-Multiplicativity to Strong Multiplicativity 
Theorem 3. Any 3-multiplicative LSSS is strongly multiplicative. 

Proof. Let M.(KP, M, ip, ei) be a 3-multiplicative LSSS realizing the access struc- 
ture AS over P. For all A G A = 2 P — AS, by Proposition [I] we can choose a 
fixed vector p" e K}~ x such that Ma( 1, p") T = 0 r . There exists a recombination 
vector z G K£”= 1 di such that for all s, s' G 1C and p, p' G K, 1-1 , we have 


ss' = z(M{s, p) T o M(s', p'Y o M( 1 , p"Y). 


Since M a(1, p"Y = 0 T > and Mj(l,p") T is a constant vector for fixed p", the 


vector z' G kY p ^ a di that satisfies 


z(M(s, pY O M(s', p'Y o M(l, p"Y) = z'(M-fi(s, pY O M-fi(s', p’Y) 
can be easily determined. Thus ss’ = z'(M^(s, p) T o Alois', p'Y)- Hence, M is 


strongly multiplicative. 


□ 


Although 3-multiplicative LSSS is a subclass of strongly multiplicative LSSS, one 
of the advantages of 3-multiplicativity is that its verification admits a simpler pro- 
cess. For 3-multiplicativity, we need only to check that e\ G span{(M o Mo M)}, 
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while strong multiplicativity requires the verification of e\ G span{(M o M)-j} 
for all A g AS. 

Using a similar argument, the following results for (A+ l)-multiplicativity can 
be proved: 

(i) A (A + l)-multiplicative LSSS is a strongly A-multiplicative LSSS. 

(ii) A A-multiplicative LSSS is a A'-multiplicative LSSS, where 1 < A' < A. 

4.3 An Example of a Strongly Multiplicative LSSS That Is Not 
3- Multiplicative 

We give an example of a strongly multiplicative LSSS that is not 3-multiplicative. 
It follows that 3-multiplicative LSSS are strictly contained in the class of strongly 
multiplicative LSSS. The construction process is as follows. Start with an LSSS 
that realizes a Q 3 access structure but is not strongly multiplicative. We then 
apply the general construction given in Section 12.31 to convert it into a strongly 
multiplicative LSSS. The resulting LSSS is however not 3-multiplicative. 

Let P = {P\ , P'2- P,i- Pa, P5, Pe} be the set of players. Consider the access 
structure AS over P defined by 

AS min = {(1,2), (3,4), (5,6), (1,5), (1,6), (2,6), (2,5), (3,6), (4,5)}, 

where we use subscript to denote the corresponding player. For example, (1,2) 
denotes the subset {Pi, P2}. It is easy to verify that the corresponding adversary 
structure is 

A max = {(1, 3), (1, 4), (2, 3), (2, 4), (3, 5), (4, 6)}, 
and that AS is a Q 3 access structure. 

Let 1C = ¥ 2 - Define the matrix M over F2 with the labeling map if) such that 



It can be verified that the LSSS A4(F2 ,M, realizes the access structure 
AS. Moreover, for all A e A — {(1,3), (1,4)}, the constricted LSSS ATg- is 
multiplicative. Thus in order to get a strongly multiplicative LSSS, we just need 
to expand M with multiplicativity when constricted to both {P 2 , Pa, P5, Pe} and 
{P 2 ,P 3 ,P 5 ,P 6 }. 

Firstly, consider the LSSS M constricted to P' = {P2, Pi - P5, Pe}- Obviously, 
Mp' realizes the access structure AS' min = {(5,6), (2,6), (2,5), (4,5)}, which is 
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Q 2 over P' . By the method of Cramer et al. jS| ■ we can transform yVf p> into the 
multiplicative LSSS A4pi(F 2 , M' , ij/, ei) defined as follows: 


Mp 2 

M'p 5 


f 00 1 00 \ 

000 1 0 
000 0 1 

0 111 
1100 

\ 0001 / 

( 11100 \ 
100 10 
1 0101 
0 0100 / 


0 1000 
0 00 1 0 


0 111 
1000 


( 01100 
1 00 0 1 
1 0010 

0 0 00 1 


where the blanks in the matrices denote zeros. 
For consistency, we define 


M' Px = ( M Pl 03x4,), 

M'p 3 = (Mp 3 0 2x 4 ), 

where O mxn denotes the mxn matrix of all zeros. It can be verified that for the 
subset P" = { P' 2 - P.i ■ P 5 , Pe}, the constricted LSSS M' P „ is indeed multiplicative. 
Therefore, 7Vi , (F 2 , M' ,%\)' , e*) is a strongly multiplicative LSSS realizing the ac- 
cess structure AS. Furthermore, it can be verified that M' is not 3-multiplicative 
(the verification involves checking a 443 x 729 matrix using Matlab). 

The scheme M. (F 2 , M, if>, Vj) given above is the first example of an LSSS which 
realizes a Q 3 access structure but is not strongly multiplicative. 


5 Constructions for 3-Multiplicative LSSS 

It is tempting to find efficient constructions for 3-multiplicative LSSS. In general, 
it is a hard problem to construct LSSS with polynomial size for any specified ac- 
cess structure, and it seems to be an even harder problem to construct polynomial 
size 3-multiplicative LSSS with general Q 3 access structures. We mention two con- 
structions for 3-multiplicative LSSS. These constructions are generally inefficient, 
which can result in schemes with exponential sizes. The two constructions are: 

1 . The Cramer-Damgard-Maurer construction based on Shamir’s threshold se- 
cret sharing scheme 0 . 

2. The construction given in Subsection 14.11 based on strongly multiplicative 
LSSS. 

There exist, however, some efficient LSSS with specific access structures that 
are multiplicative or 3-multiplicative. For instance, Shamir’s t out of n threshold 
secret sharing schemes are multiplicative if n > 2t + 1, and 3-multiplicative if 


32 


Z. Zhang et al. 


On the other hand, secret sharing schemes from error-correcting codes give 
good multiplicative properties. It is well known that a secret sharing scheme 
from a linear error-correcting code is an LSSS. We know that such an LSSS is 
multiplicative provided the underlying code is a self dual code [Zj. The LSSS from 
a Reed-Solomon code is A-multiplicative if the corresponding access structure is 
Q x . In this section, we show the multiplicativity of two other classes of secret 
sharing schemes from error-correcting codes: 

(i) schemes from Reed-Muller codes are A-multiplicative LSSS; and 

(ii) schemes from algebraic geometric codes are A-multiplicative ramp LSSS. 

5.1 A Construction from Reed-Muller Codes 

Let Do, V 2 m —i be all the points in the space F 2 m . The binary Reed-Muller 

code 1Z(r, m) is defined as follows: 

nr, rn) = {(/(*„), f(v i), .... f(v 2 m_ i)) | / £ Fat*!, deg / < r}. 

Take f(v o) as the secret, and f(Vi) as the share distributed to player Pi, 
1 < i < 2 m — 1. Then 1Z(r,m) gives rise to an LSSS for the set of players 
{Pi, . . . , P n }, with the secret-domain being F 2 , where n = 2 m — 1. For any three 
codewords 

c i = (■ Si , * 1 , . . . , Sin) = (fi(vo)Ji(v t ), • ■ ■ , fi(v n )) G P(r, m), 1 < i < 3, 
it is easy to see that 

Cl O C2 <> C3 = (siS2S3j SllS2lS31, ■ ■ • , SlnS2nS3n) 

= {g(vo),g{vi),...,g(v n )) G n(3r,m), 

where g = f 1 / 2/3 gF 2 [ji,..., x rn ] and deg g < 3 r. From basic results on Reed- 
Muller codes m, we know that P(3r, rn) has dual code TZ(rn — 3r — 1, m) when 
m > 3 r, and the dual code lZ(m — 3 r — l,m) trivially contains the codeword 
(1, 1, ... , 1). It follows that S 1 S 2 S 3 = J ^" =1 s%jS 2 jS 3 j, which shows that the LSSS 
from lZ(r, m) is 3-multiplicative when m > 3 r. Certainly, this LSSS is strongly 
multiplicative. In general, we have the following result: 

Theorem 4. The LSSS constructed above from P(r, m) is X-multiplicative, pro- 
vided m> Xr. 


5.2 A Construction from Algebraic Geometric Codes 

Chen and Cramer j3| constructed secret sharing schemes from algebraic geo- 
metric (AG) codes. These schemes are quasi-threshold (or ramp) schemes, which 
means that any t out of n players can recover the secret, and any fewer than 
t' players have no information about the secret, where t' < t < n. In this sec- 
tion, we show that ramp schemes from some algebraic geometric codes (3] are 
A-multiplicative. 
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Let x be an absolutely irreducible, projective, and nonsingular curve defined 
over F g with genus g, and let D = {no, v \, . . . , v n } be the set of Fg-rational points 
on x- Let G be an F g -rational divisor with degree m satisfying supp(G) (~l D = 0 
and 2g — 2 < m < n + 1. Let F g denote the algebraic closure of ¥ q , let F g (x) 
denote the function field of the curve x, and let (2(x) denote all the differentials 
on x- Define the linear spaces: 

C(G) = {fe Fg(x) f (/) + G > 0}, 

(2(G) = {u£ f2( X ) | M > G}. 

Then the functional AG code Cc(D,G) and residual AG code Cn(D, G) are 
respectively defined as follows: 

Cc(D, G) = {(/(n 0 ), /(m), . . . , /(«„)) | / e C(G)} C F ? n+1 , 

C n (D,G) = §(Res v M,Res vl (v), ■ ■ -,Res Vn (vJ) I g G (2(G - D)} C ¥ q n+1 , 

where Res Vi (rj) denotes the residue of g at n». 

As above, Cq(D , G) induces an LSSS for the set of players {Pi, . . . , P n }, where 
for every codeword (/(no), /(ui), . . . , f(v n )) e Cn(D, G) = Cc(D, D — G+ (rj)), 
/(no) is the secret and /(n*) is P/s share, 1 < i < n. For any A codewords 

Ci = pi,sn,...,s in ) 

= (fi(vo), fi(vi), • • • , Mv n )) £ Cc(D, D-G+ (r?)), 1 < i < A, 

it is easy to see that 

< 4 lCi := ^ gcw, hd - g+w)))- 

If 2g - 2 < deg(A(P> - G + (»?))) < n, then C c (D,X(D -G + (rj))) has 
the dual code C n (D, A (D - G + (rj))) = C c (D , AG - (A - 1)(£> + (??))). When 
deg(AG — (A — 1)(P + (rj))) > 2 g, Cn(D,\(D — G + (g))) has a codeword 
with a nonzero first coordinate, implying n»=i s i = S"=i a ;i n,;=i s ij f° r some 
constants dj £ F g . Thus, the LSSS induced by the AG code Cq(D,G) is A- 
multiplicative. It is easy to see that if deg G = m > G 'K'* - 1 ) 2g then we 
have 2g — 2 < deg(A (D — G + (g))) < n and deg(AG — (A — 1)(P + (g))) > 2 g. 
Therefore, we have the following theorem. 

Theorem 5. Let x be an absolutely irreducible, projective, and nonsingular 
curve defined over F g with genus g, let D = {uo,ui, . . . ,n n } be the set of F g - 
rational points on x ■ Let G be an F g -rational divisor with degree m satisfying 
supp(G) D D = 0 and 2g — 2 < m < n+ 1. Then the LSSS induced by the AG 
code Cq(D , G) is X-multiplicative, provided m > G-W"- 1 ) _|_ 2 g. 


6 Implications of the Multiplicativity of LSSS 

The property of 3-multiplicativity implies strong multiplicativity, and so is suf- 
ficient for building MPC protocols against active adversaries. The conditions for 



34 


Z. Zhang et al. 


3-multiplicativity are easy to verify, while verification for strong multiplicativ- 
ity involves checking an exponential number of equations (each subset in the 
adversary structure corresponds to an equation). 

With 3-multiplicative LSSS, or more generally A-multiplicative LSSS, we can 
simplify local computation for each player and reduce the round complexity in 
MPC protocols. For example, using the technique of Bar-Ilan and Beaver 
we can compute n!=i x ii x i G F g , in a constant number of rounds, independent 
of l. For simplicity, we consider passive adversaries in the information-theoretic 
model. Suppose for 1 < i < l, the shares of x t , denoted by [a;*], have already 
been distributed among the players. To compute n| = i x i> x i € F g , we follow the 
process of Cramer et al. 0: 


(1) Generate [bo &r F,*], [h e R F •], . . . , [b t E R ¥*] and [&„ '], fc 1 ], ■ • ■ , [K 1 ], 
where bi G R ¥* means that is a random element in F g *. 

(2) For 1 < i <1, each player computes \bi-iXib~ 1 ] from [6^ ] ] and [a:*]. 

(3) Recover dk = bt~iXib^ 1 from \bi-\Xib~ 1 ] for 1 < i < l, and compute d = 


nU*- 

(4) Compute [ db 0 1 6; ] from [b 0 ], 


[6;] and d. 


It is easy to see that db^bi = nl=i x i- Using a multiplicative LSSS, the 
above process takes five rounds of interactions as two rounds are required in Step 
(2). However, if we use a 3-multiplicative LSSS instead, then only one round is 
needed for Step (2). Thus, 3-multiplicative LSSS reduce the round complexity 
of computing unbounded fan-in multiplication from five to four. This in turn 
simplifies the computation of many problems, such as polynomial evaluation 
and solving linear systems of equations. 

In general, the relationship between A-multiplicative LSSS and strongly A- 
multiplicative LSSS can be described as follows: 


■ ■ • C SMLSSSx+i C MLSSSx+i C SMLSSS X C MLSSS X C ••• , 

where MLSSS X (respectively, SMLSSS\) denotes the class of A-multiplicative 
(respectively, strongly A-multiplicative) LSSS. It is easy to see that SMLSSS X C 
MLSSSx because they exist under the conditions Q x+l and Q x , respectively. 
Since S MLSSSx and MLSSSx+i both exist under the same necessary and 
sufficient condition of Q A+1 , it is not straightforward to see whether MLSSSx+i 
is strictly contained in SMLSSSx ■ For A = 2, we already know that MLSSS3 C 
SMLSSS2 (Section EH) ■ It would be interesting to find out if this is also true 
for A > 2. We have also given an efficient transformation from SMLSSSx to 
MLSSSx+i- It remains open whether an efficient transformation from MLSSSx 
to SMLSSSx exists when the access structure is Q A+1 . When A = 2, this is a 
well-known open problem jji . 


7 Conclusions 

In this paper, we propose the new concept of 3-multiplicative LSSS, which form a 
subclass of strongly multiplicative LSSS. The 3-multiplicative LSSS are easier to 
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construct compared to strongly multiplicative LSSS. They can also simplify the 
computation and reduce the round complexity in secure multiparty computation 
protocols. We believe that 3-multiplicative LSSS are a more appropriate primi- 
tive as building blocks for secure multiparty computations, and deserve further 
investigation. We stress that finding efficient constructions of 3-multiplicative 
LSSS for general access structures remains an important open problem. 
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Abstract. Recently, Desmedt et al. studied the problem of achieving secure n- 
party computation over non-Abelian groups. They considered the passive ad- 
versary model and they assumed that the parties were only allowed to perform 
black-box operations over the finite group G. They showed three results for the 
n-product function J'g (xi , . . . , x n ) := xi • X 2 ■ ■ ■ ■ • x n , where the input of party 
Pi is Xi 6 G for i g {1, . . . , n}. First, if L > |"^] then it is impossible to have 
a /.-private protocol computing fa- Second, they demonstrated that one could t- 
privately compute /g for any t < [§] — 1 in exponential communication cost. 
Third, they constructed a randomized algorithm with 0(nt 2 ) communication 
complexity for any t < 2 ™ 4g . 

In this paper, we extend these results in two directions. First, we use perco- 
lation theory to show that for any fixed e > 0, one can design a randomized 
algorithm for any t < using 0(n 3 ) communication complexity, thus nearly 
matching the known upper bound [f] — 1. This is the first time that percola- 
tion theory is used for multiparty computation. Second, we exhibit a determin- 
istic construction having polynomial communication cost for any t = 0(n 1-e ) 
(again for any fixed e > 0). Our results extend to the more general function 
/g(k i, ■ ■ ■ , x m ) := x\ ■ X 2 ■ ■ ■ ■ • x-m where m > n and each of the n parties 
holds one or more input values. 

Keywords: Multiparty Computation, Passive Adversary, Non-Abelian Groups, 
Graph Coloring, Percolation Theory. 


1 Introduction 

In multiparty computation, a set of n parties {Pi, . . . , P n } want to compute a function 
of some secret inputs held locally by these participants. Since its introduction by Yao 
m, multiparty computation has been extensively studied. Most multiparty computa- 
tion protocols rely on algebraic structures which are at least Abelian groups UHl as in 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 37^53] 2008. 
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rn ret nisi rroirmo for instance. The usefulness of Abelian groups in cryptography 
is not restricted to multiparty computation as numerous cryptographic primitives are 
developed over such groups lElEZIO However, the construction of efficient quantum 
algorithms to solve the discrete logarithm problem as well as the factoring problem pre- 
vent the use of many of these primitives over those machines lfT81l . Since quantum algo- 
rithms seem to be less efficient over non- Abelian groups, there is increasingly a need for 
developing cryptographic constructions over such mathematical structures. The reader 
may be aware of the existence of public key cryptosystems for such groups [ 15. 16]. 

Recently, Desmedt et al. studied the problem of designing secure n-party protocol 
over non commutative finite groups for the passive (or semi-honest ) adversary model 
0 . Their goal is to guarantee unconditional security simply using a black-box represen- 
tation of the finite non- Abelian group (G, •). This assumption means that the n parties 
can only perform three operations in (G, •): the group operation ((x. y) * x ■ y), the 
group inversion (x m » x _1 ) and the uniformly distributed group sampling (x Gr G). 

Desmedt et al. focused on the existence and the design of t-private protocols for the n 
product function fc(xi, . . . , x n ) := X\ ■ ... ■ x n where the input of party Pi is Xi £ G 
for i £ {1, . . . , n}. In such a protocol, no colluding sets C of at most t participants 
learn anything about the data hold by any of the remaining members {Pi , . . . , P n } \ C. 
Desmedt et al. obtained three important results. First, if f > [ j|"| (dishonest majority) 
then it is impossible to construct a t-private protocol to compute fc • Second, if t < [~^"| 
then one can always design a deterministic t-private protocol computing fc with an 
exponential communication complexity of 0(n ( 2t t +1 ) ) group elements. Third, they 
built a probabilistic f-private protocol computing fc with a polynomial communication 
complexity of 0(n f 2 ) group elements when f < • 

That work leads to two important questions. First, we would like to know if it is pos- 
sible to construct a t-private protocol for values of t £ [ , 2 ” 48 , ["§] — l] with polyno- 
mial communication complexity. Second, Desmedt et al.’s construction shows that one 
can t-privately compute fc with polynomial communication cost for any t = 0(log n). 
A natural issue is to determine the existence and to construct a deterministic t-private 
protocol with polynomial communication complexity for other values t (ideally, up to 
the threshold [f ] — 1). 

In this article, we give a positive answer to these two questions. First, we demonstrate 
that the random coloring approach and the graph construction by Desmedt et al. can be 
used to guarantee t-privacy for any t < (for any fixed e > 0). The communication 
complexity of our construction is 0(n 3 ) group elements. This result is obtained using 
percolation theory. To the best of our knowledge, this is the first use of this theory in 
the context of multiparty computation. Second, we provide a deterministic construction 
for any t = 0(n 1-e ) . This scheme has polynomial communication complexity as well. 

This paper is organized as follows. In the next section, we will recall the different 
reductions performed in 01 to solve the f-privacy issue over non-Abelian groups. In 
Sect. 0 we present our randomized construction achieving t-privacy for any value t < 
which is closed to the theoretical bound — 1 . In Sect. 0 we show how to 
construct deterministic t-private protocols having polynomial communication cost for 
any t = 0(n 1_e ) . In the last section, we conclude our paper with some remaining open 
problems for multiparty computation over non-Abelian black-box groups. 


Graph Design for Secure Multiparty Computation over Non- Abelian Groups 


39 


2 Achieving Secure Computation over Non-Abelian Groups 

In this section, we present some of the results and constructions developed by Desmedt 
et al. which are necessary to understand our improvements from Sect. 0 and Sect. 0 
First, we recall the definition of secure multiparty computation in the passive, computa- 
tionally unbounded attack model, restricted to deterministic symmetric functionalities 
and perfect emulation as in S3. 

We denote [n] the set of integers {1, . . . , n}, {0, 1}* the set of all finite binary strings 
and | A | the cardinality of the set A. 

Definition 1. We denote f : ({0, 1}*)" i— > {0, 1}* an n-input and single-output func- 
tion. Let W be a n-party protocol for computing f. We denote the n-party input se- 
quence by x = x n ), the joint protocol view of parties in subset I C [n] by 

VIEwP (x), and the protocol output by OUT^ (x). For 0 < t < n, we say that 
is a t-private protocol for computing f if there exists a probabilistic polynomial-time 
algorithm S, such that, for every I c [n] with |/| < t and every x G ({0, 1}*)", the 
random variables 

(S(I, X/ , /(x)), /(x)) and (VIEwP (x), OUT n ( x )) 

are identically distributed, where xj denotes the projection of the n-ary sequence x on 
the coordinates in I. 

In the remaining of this paper, we assume that party Pi has a personal input Xj £ G 
(for i £ [n]) and the function to be computed is the n-party product /g(x i , . ■ . , x n ) := 
Xi ■ . . . ■ x n . 

Desmedt et al. first reduced the problem of constructing a t-private n-party protocol 
for fc to the problem of constructing a symmetric (strong) t-private protocol (see 
0 for a detailed definition of symmetric privacy) to compute the shared 2-product 
function f' G (x, y ) := x ■ y where the inputs x and y are shared amongst the n parties. 
They demonstrated that iterating (n — 1) times the protocol would give a t -private 
protocol to compute fa- 

The second reduction occurring in Q consists of constructing a t-private n-party 
shared 2-product protocol from a suitable coloring over particular directed graphs. 
We will detail the important steps of this reduction as they will serve the understanding 
of our own constructions. 

Definition 2 (0). We call graph Q an admissible Planar Directed Acyclic Graph 
(PDAG) with share parameter i and size parameter m(> £) if it has the following 
properties: 

- The nodes ofQ are drawn on a square m X m grid of points (each node ofQ is 
located at a grid point but some grid points may not be occupied by nodes). The 
rows of the grid are indexed from top to bottom and the columns from left to right 
by the integers 1,2. ... , rn. A node ofQ at row i and column j is said to have index 
( i , j). Q has 2 1 input nodes on the top row, and l output nodes on the bottom row. 

- The incoming edges of a node on row i only come from nodes on row i — 1, and 
outgoing edges of a node on row i only go to nodes on row i + 1 . 
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- For each row i and column j, let ?Ji < • • • < denote the ordered column 
indices of the q(i, j) > 0 nodes on level i + 1 which are connected to node ( i,j ) by 
an edge. Then, for each j £ [to 1], we have: 


which means that the rightmost node on level i+ 1 connected to node ( i,j ) is to 
the left of (or equal to) the leftmost node on level i + 1 connected to node (i.j + 1). 


An admissible PDAG has 21 input nodes. The first i ones (i.e. (1,1),..., (1, £)) rep- 
resent the x-input nodes while the remaining ones represent the y-input nodes. Let 
C : [to] x [m] i — ► [n] be a n-coloring function that associates to each node (i. j) of Q a 
color C(i, j ) chosen from a set of n possible colors. The following notion will be used 
to express the property we expect the graph coloring to have in order to build . 


Definition 3 (|5 | ). We say that C : [m] X [m] i— > [n] is a f-reliable n-coloring/or the 
admissible PDAG Q (with share parameter i and size parameter m) if for each t-color 
subset I C [n] , there exist j* € [f\ and j* £ [£] such that: 

- There exists a path PATH ,, in Q from the j*th x-input node to the j*th output node, 
such that none of the path node colors are in subset I (it is called an I -avoiding 
path), and 

— There exists an I -avoiding path PATH y in Q from the j*th y-input node to the j*th 
output node. 


If j* = j* for all I, we say that C is a symmetric t-reliable n-coloring. 

Important Remark: Even if the graph Q is directed, it is regarded as non-directed 
when building the /-avoiding paths in Definitional 

Desmedt et al. built a protocol [Q. C) taking as input a graph Q and a n coloring 
C. We do not detail this protocol in our paper as its internal design does not have 
any influence in our work. The reader can find it in [0. However, in order to ease the 
understanding of our work, we recall the relation between multiparty protocols over a 
non- Abelian group G and coloring of admissible PD AGs as it appear in [Q. 

The n participants {Pi, . . . , P n } are identified by the n colors of the admissible 
PDAG Q. The input/output nodes of the graph Q are labeled by the input/output ele- 
ments of the group G. Each edge represents a group element sent from one participant 
to another one. Each internal node contains an intermediate value of the protocol. Those 
values are computed, at each node N of Q, as the group operation between the elements 
along all the incoming edges of M from the leftmost one to the rightmost one. This 
intermediate value is then redistributed along all the outgoing edges of M using the fol- 
lowing Ojy-of-Oj^f secret sharing where Ojy represents the number of outgoing edges 
of node N. 


Proposition 1 ( 0 ). Let g be an element of the non-Abelian group G. Denote A and 
p two integers where p £ [A]. We create a X-of-X sharing (s 9 (l), . . . , s g ( A)) of g by 
picking the A — 1 shares { (C) } [A]\{/n} uniformly and independently at random from 

G, and computing s g (p) to be the unique element of G such that: 

9 = s s(l) ’ s g( 2) • • • • • s 9 (A) 
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Then, the distribution of the shares (s g (l), . . . , s g ( A)) is independent of p. 

We recall the following important result: 

Theorem 1 (llSIf. If Q is an admissible PDAG and C is a symmetric t-reliable n- 
coloringfor Q then (Q- G) achieves symmetric strong t-privacy. 

The last reduction is related to the admissible PDAG. Desmedt et al. only consider 
admissible PD AGs as defined below and represented in Fig.0 



Fig. 1 . The admissible PDAG Qtri{l' J-) 


Definition 4 (0). The admissible PDAG Gtriif' > £) is a £! x t directed grid such that: 

- [horizontal edges] for i e \l') and for j 6 [I - 1], there is a directed edge from 
node ( i,j + 1) to ( i,j ), 

- [vertical edges] for i £ \l' — 1 ] and for j 6 [£], there is a directed edge from node 
( i,j ) to node ( i + 1 ,j), 

- [diagonal edges] for i £ [(' - 1] and for j £ {2, . . . , I}, there is a directed edge 
from node (i, j) to node (i + 1, j — 1). 

According to Definition 0 an admissible PDAG has 2 £ input nodes and no horizontal 
edges. Desmedt et al. indicated that the y-input nodes could be arranged along a column 
on Gtri(P, £) instead of being along the same row as the x-input nodes. They also ex- 
plained that GtridL' ■,£) could also be drawn according the requirements of Definition 0 
By rotating Q tri {£' , t) by 45 degrees anticlockwise, the x-input nodes and y-input nodes 
of Qtri ) £) are now on the same row and the horizontal edges of Gtnf ■ t) have be- 
come diagonal edges which satisfies Definition 0 

A priori, Qt r i(£' ,£) is a rectangular grid. In 0, Desmedt et al. considered square 
grids Gtri(£, (■) for which they introduced the following notion. 

Definition 5 (0). We say that C : [£} x [l] i— » [n] is a weakly t-reliable n-coloring for 
Qtri {k, £) if for each t-color subset I C [n]: 
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- There exists an I -avoiding path V x in Gtnif-, f) from a node on the top row to a 
node on the bottom row. Such a path is called an I -avoiding top-bottom path. 

- There exists an I -avoiding path V y in Gtriif f) from a node on the rightmost col- 
umn to a node on the leftmost column. Such a path is called an I -avoiding right-left 
path. 

As said in 0 , the admissible PD AG requirements (Definition 0 are still satisfied if we 
remove from Gtn some ’positive slope’ diagonal edges and add some ’negative slope’ 
diagonal edges (connecting a node (i,j) to node (i + 1 ,j + 1), for some i £ [(! — 1 ] 
and j £ [l — 1]). Such a generalized admissible PD AG is denoted Ggtri- 

Lemma 1 (0). Let C : [l] x [£] m *■ [n] be a weakly t-reliable n-coloring for square 
admissible PDAG Gtri(£, f)- Then, we can construct a t-reliable n-coloring for a rect- 
angular admissible PDAG G g tri{ 2£ — 1, l). 

Thus, Desmedt et al. have demonstrated that it was sufficient to get a weakly t-reliable 
n coloring for some Gtri(f f) in order to construct a f-private protocol for computing 
the n-product fa- The cost communication cost of this protocol is (n — 1) times the 
number of edges of G g tri( 2£ — 1 , £). Since that grid is obtained from Gtri (£• l) using a 
mirror, the communication cost of the whole protocol is 0(nl 2 ) group elements. The 
constructions that we propose in this paper are colorings of some grids Gtri(£, f)- 

3 A Randomized Construction Achieving Maximal Privacy 

In this section, we present a randomized construction ensuring the t-privacy of the com- 
putation of fa up to 2 ^. Our scheme has a linear share parameter t = 0(n). 

We use the same random coloring C ran d for the grid Gtri (f f) as in 0. However, 
our analysis is based on percolation theory while Desmedt et al. used a counting-based 
argument. We first introduce the following definition which is illustrated in Fig. El 


Algorithm 1. Coloring C ran d 
Input: A grid Gtri(l,l). 

1. For each (i, j) £ [£] x [£], choose the color C(i, j) of node (i,j) independently and uni- 
formly at random from [n] . 

Output: A n-coloring of the grid. 


Definition 6. The triangular lattice of depth £ denoted T (£) is a directed graph drawn 
over a lx (31—2) grid such that: 

- [horizontal edges] fori £ [l] and for j £ [l— 1], there is a directed edge from node 
($,14* 2 i) to (i,i + 2 (y — 1)), 

- [right downwards edges] for i £ [£ I] and for j £ {0, .... £ — 1}, there is a 
directed edge from node (i, i + 2 j) to node (i + 1, i + 2 j + 1), 

- [left downwards edges] for i £ [l— 1] and for j £ [l— 1], there is a directed edge 
from node (i,i + 2j) to node (i + 1 , i + 2 j — 1 ). 
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Fig. 2. The triangle T (5) 



Proposition 2. For any positive integer £, we have a graph isomorphism between 

Gtn(iJ) andT(l). 

Proof. Consider the mapping: 

GtriitJ) — » T(i) 

(id) ■— > (».<+2(i-i)) 

It is easy to see that the nodes of the two graphs are in bijective correspondence while 
the direction of each edge is maintained. □ 

Theorem 2. For any e > 0, there exists a constant c e such that ift < and £ > c e n, 

then there exists a weakly t-reliable n-coloringfor Gtri(£, £)■ 

Proof We prove that the coloring C ran d will work with high probability. Let t e = 
|^ 2 +eJ where |_-J denotes the floor function. Instead of considering the probability that 
Crand. is a weakly f £ -reliable n-coloring for Gtn(£, £), we study the complementary 
event. A suitable value for £ will be given at the end of this demonstration. 

The coloring C ran d is called bad if there exists a color set I C [n] with |/| = t f , such 
that either there are no /-avoiding top-bottom paths or there are no /-avoiding right-left 
paths. By the union bound, we obtain the following upper bound on Pr (C ra nd is bad): 

2 Pr(3 / C [n], |/| = t e , there are no /-avoiding top-bottom paths in GtriU- £)) 

<2 ^ Pr( there are no /-avoiding top-bottom paths in Gtn{£- £))■ (1) 

The factor 2 in dB comes from the fact the top-bottom probability is equal to the right- 
left probability due to the symmetry of the grid Gtri(£, £) and the coloring C ran d. 

Next, we demonstrate that for a fixed color set / C [n] with |/| = t e , the probability 
that there are no /-avoiding top-bottom paths in C ra nd is exponentially small. Let us 
fix the color set I. We call a vertex closed if its color belongs to I. Otherwise, the 
vertex is called open. The random coloring C ran d of each vertex is equivalent to open it 
independently and randomly with probability p := 1 — An /-avoiding path is simply 
an open path. Therefore, we get: 

Pr(there are no /-avoiding top-bottom paths in Gtri(£, £)) 

= Pr p (there are no open top-bottom paths in Gtn(£, £)) 

= 1 — Pr p (there is an open top-bottom path in GtriU, £)) 


( 2 ) 
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We have the following result. 

Lemma 2 (|2j|). The triangular lattice T (£) has the following property: 

Vv p {there is an open top-bottom path in T (£)) 

+ 

Pr p (there is a closed right-left path in T (£)) 

= 1 

When we combine Lemma|3 Proposition|5|and 0, we obtain the following: 

Pr(there is no /-avoiding top-bottom path in Gtri(£- £')') 

Pr p (there is a closed right-left path in T (£)) 

Pri_ p (there is an open right-left path in T (/)) (3) 

In 0, Pri_ p (-) means that we open each vertex with probability 1 — p. We have the 
following result from percolation theory. 

Lemma 3 ( Hl3l l. Let T be the triangular lattice in the plane. Then, the critical proba- 
bility of site percolation p s c (T) is equal to 

When the open probability is less than the critical probability, the percolation has the 
following properties (see for example Chapter 4, Theorem 9 in Q). 

Lemma 4 (01). Ifp < p s c (T), then there is a constant c = c(p), 

Pr p (0 -^) < e~ cn . 

where {x — ^} is the event that there is an open path from x to a point in S n (x) with 
S n (x ) := {y : d(x, y ) = n} and d(x, y) denotes the distance between x and y. 
Remark: The value 0 from Lemma 0 represent the zero element of Z x Z when the 
graph is represented as a lattice over that set. In the case of the triangular lattice depicted 
as Fig. El the value 0 can be identified to the node (1,1). 

In our case, we have: 1 — P = ^ < P?(T)- Using Lem in a 01 we get: 

Pri_ p (there is an open right-left path in T (£)) < i Pri_ p (0 i) < £e~ c( ' ( ’~ v> (4) 

The first inequality is due to the fact that any right-left path has length at least (£ — 1) 
in T (£). Combining 0-0, we obtain: 

Pr(C rand is bad) < 2 f™) £e~ c ^- X) 

Thus, if we choose £ := c e n for some large enough constant c e , we have: 

Pr (Crand is bad) < ^ 

which guarantees the fact that C ran d is a weakly t £ -reliable n-coloring for Gtri(£, £') 
with overwhelming probability in n. □ 

Corollary 1. There exists a black box t e -private protocol for fa with communication 
complexity 0(n 3 ) group elements where t f = |_2TeJ- Moreover, for any S > 0, we 
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can construct a probabilistic algorithm, with run-time polynomial in n and log(<5 -1 ), 
which outputs a protocol H for fa such that the communication complexity of H is 
0(n 3 log * 1 2 (<5 -1 )) group elements and the probability that is not t e -private is 


Proof The existence of the protocol is a direct consequence of Theorem 0 as well as 
the different reductions exposed in Sect. El As our construction requires £ = 0(ri), 
we deduce that the communication cost of the protocol computing fa is 0(n 3 ). The 
justification of the running time of the algorithm and the probability of failure 8 is 
identical to what is done in 0. □ 

We showed that it was possible to build a randomized algorithm to achieve |^5TeJ' 
private computation of fa using 0(n 3 ) group elements. Even if the probability of fail- 
ure of our previous construction is small, we would like to remove the randomized 
restriction so that we can get a (deterministic) protocol which is always guaranteed to 
succeed. In 0 , Desmedt et al. only provided deterministic protocols to compute fa in 
polynomial communication cost when t = 0(log n). In the next section, we present a 
deterministic construction for any t = 0(n 1_e ) where e is any positive constant. Our 
construction requires polynomial communication complexity as well. 

4 A Deterministic Construction for Secure Computation 

In this section, we show how to build a deterministic f -private protocol to compute fa 
with polynomial complexity cost for any t = 0(n 1_e ) . First, we will focus on particular 
pairs (t, n). Second, we generalize our result to any (t, n ) with t = 0(n 1-£ ). 

We recursively construct our admissible PD AG Q rec and its coloring C rec . Let d E 
N \ {0, 1} be a constant. Denote Bd the binomial coefficient • 

Theorem 3. For any positive integer k, there is a weakly tk-reliable n k -coloring 
Crec(fk) for the square admissible PDAG GreAfk), where the parameters are: 
t k := d k - 1, n k := (2 d - l) k and i k = B k d (, B d + l) k \ 

Proof We prove the theorem by induction on k. 

k = 1: We have ti = d— 1, ni = 2 d— 1 and l\ = Bd- We set G r ec(h) ■= Gtri(h,h)- 
We define C rec (£ i) as being the combinatorial coloring C com b designed in 0 and re- 
called as AlgorithmEl 


Algorithm 2. Coloring C com b 

Input: AL x L grid where L « (^) . 

1. Let h, ... ,Il denote the sequence of all T-color subsets of [N] (in some ordering). 

2. For each (i,j) £ [L] x [L], define the color C(i,j) of node (i,j) in the grid to be any color 
in the set S itj := [N] \ (/; U /,). 

Output: A iV-coloring of the grid. 
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Desmedt et al. noticed that, even if we removed the diagonal edges from (7t r *(4, 4), 
we still had the existence of /-avoiding top-bottom and right- left paths. Thus, we as- 
sume that Grec(^i) has no such edges so that Grec(fi) is a square grid the side length of 
which is l\ nodes. Grec(^i) is an admissible PDAG. 

k > 1: Suppose we already have the construction and coloring for k, we recursively 
construct G rec (4+ 1) from f/ rec (4)- 

We first build the block grid B by copying (B d + 1) x (B d + 1) times Q re c (4)- 
The connections between two copies of Grec(fi) are as follows. Horizontally, we draw 
a directed edge from node ( i , 1) in the right-hand side copy to node (i, l\ ) in the left- 
hand side copy for i G [4] (i.e. we horizontally connect nodes at the same level). 
Vertically, we draw a directed edge from node in the top side copy to node (1 ,j) 
in the bottom side copy for j G [4 ] (i.e. we vertically connect nodes at the same level). 

The block B is a ( Bd (Bd + 1)) X (B d (B d + 1)) grid. It has the following property 
the proof of which can be found in Appendix I aI 

Proposition 3. The block grid B admits a (2d — T)-coloring (just use the same C com b 
for each copy ofQ rec (l\)), such that for any (d — l)-color subset I C [2 d — 1], there 
are B d + 1 horizontal (vertical) I-avoiding straight lines in B. 

Now, we construct f? r ec(4+ 1) and its coloring C rec (4 + i) as follows. We replace each 
node in 6? re c(4) by a copy of B. If the node of 0 rec (4) was colored by the color 
c G [rife] , then we color B with the set of colors { (2d — 1) (c — 1) + 1 , (2d — 1) (c — 1) + 
2, . . . , (2 d — 1) c}, using C corn b. All the edges within each copy of B remain identical 

in0rec(4fc+l). 

Now, we show how to connect two copies of B. We first focus on vertical connec- 
tions. Consider an edge in Grec(^k) from a node in the i-th row to another node in the 
(i + l)-th row. Since these two nodes have been replaced by two copies of B, we de- 
note the nodes on the top copy (i.e. those corresponding to the nodes of the i-th row 
in Grec(^k)) as Dip, . . . , vi'Bj , U2,i , . . . , vs d +x,B d and the nodes on the bottom copy as 
, Wl,B d , *02,1, • • • , W Bd +l ,B d - 

For each (i,j) G [B d ] x [Bd], we add a directed edge (vij, WiJ+i-l) in Grec(h+l)- 
If the index (j+i — 1) is greater than B d , Wij+i-i is the node Wi+ij+i- i . Figured 
gives the example for d = 2. The connection process works similarly for two consec- 
utive columns where we replace each horizontal edge from Greci^k) by B' d different 
edges in (w(4+l)- 

It is clear that the number of nodes on each side of the square GrecUk+i ) is: 

4+1 = B d (B d + 1) • 4 = B L d +1 (B d + l) fe 

and the number of colors used in C' rec (4+i) is n k + i = (2 d — 1) ■ n k = (2 d — l) fc+1 . 
The grid ^ rec (4 + i) obtained by this recursive process is also an admissible PDAG due 
to the horizontal/vertical connection processes between two copies of B (as well as two 
copies of Grec( 4) inside B). 

The last point to prove is that for any 4+1-color subset I C [rifc+i], there is an 
/-avoiding top-bottom (and right-left) path in f/ rec (4+ 1)- We only prove the existence 
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of a top-bottom path in this paper as the demonstration of the existence for a right-left 
path is similar. For each j £ [rik], we define the set Ij as: 

Ij ~ in {(2d- 1 )(j - 1) + 1, (2d - l)(j - 1) +■ 2, . . . , (2 d - 1) j} 


Since 

\h | + • • * + \In k | = | J| = t k+ 1 = d k+1 - 1 (5) 

and each \Ij\ < 2d — 1, there are at least (n k — t k ) subsets having at most (d — 1) 
elements. Indeed, in the opposite case, we would have: 

|/i| |/„ fc | > d(n k - (rife - tfe - 1)) = d ■ d k = d k+1 , 

which would contradict 0. Assume that S C [n fe ] is the set of these indices (i.e. for 
each j £ S, ( Ij | < d — 1). We have: | [rife] \S\ <t k . By the induction hypothesis, there 
is a ([rife] \ 5) -avoiding top-bottom path in G re c( Ik), i.e., the colors used on this path 
all belong to S. Let Vi , . . . , v m be the vertices of the path and denote the color of node 

Vj as Cj G S (j G [m]). 

Now, we show there is an /-avoiding top-bottom path in Grec(!k+i)- In 
Grec(Ik+ 1 )> each node v 3 has been replaced by a copy B Vj with colors in {(2d— l)(cj — 
1)+1, (2d— l)(cj — l)+2, ..., (2 d—1) Cj}. Since the color set/ C;) . satisfies \I Cj \ < d— 1, 
by Propositional we deduce that there are B,i horizontal and B,j vertical I Cj -avoiding 
paths in B Vj . 

One can show that this property involves the existence of an /-avoiding top-bottom 
path in Grec(Ik+\)- This top-bottom path is the connection of an I Cl -avoiding path 
(from B Vl ), an / C2 -avoiding path (from B V2 ),..., an I Cm -avoiding path (from B Vrn ). The 
reader can find more details about this process in Appendix^! A similar demonstration 
leads to the existence of an /-avoiding right-left path in Grec(Ik+ 1 ) which achieves the 
demonstration of our theorem. □ 

The communication complexity of the protocol to tfe -privately compute the function 
/g(x i, • ■ • , x nk ) using the previous admissible PDAG is 0(n k group elements where 
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4 < B k d {B d + I)*” 1 < 2^ 2d ~ 1)k x 2 ( 2 «*-i)(*-i) < 2 2 fe(^-i) < 

Note that the last inequality comes from 2 k = n £ e 2 <2e!_1) . 

Now, we generalize our result to any (t, n ) where t = 0(n 1_e ) for any fixed positive 
e. The class 0(n 1 ~ e ) is the set of all functions / such that: 3ry > 0 3no > 0 : Vn > 
n 0 /(n) < Tf n 1_e . In our case, the function / is the privacy level t. Our main result is 
stated as follows. 

Theorem 4. For any fixed e > 0, for any fixed r > 0, there exists a constant n e>r £ N, 
such that for any n > n e , r , if t < rn 1_e , f/ten tfiere exists a black-box t-private 
protocol to compute fa with communication complexity polynomial in n. Moreover, 
there is a deterministic polynomial time algorithm to construct the protocol. 

Proof We fix e > 0 and r > 0. We set d = 2^1~ 1 and k = Ll°g(2a-i) n \ • We have 
d > 2. If n > 2d — 1 then k > 1. In such a condition, we can apply Theorem 0 for 
the pair (k,d). There exists a 4 -private protocol to compute the value fcfixi ■ ■ ■ ■ , x nk ) 
using 0(nk 0-1) g rou P elements where 4, n^, 4 are defined as in Theorem0 It is clear 
that the construction also i'-privately computes fcix-i , . . . ,x n >) for any ( t',n ') such 
that t' < tk and n! > n k - So, we only need to show rn 1 "' < tk, n > rik and 
4 = poly(n). Due to our choice of d and k, we have: 

n k < {2d - l)L lo S(2<i-i) "J < {2d - ” < n 

And: 

n log 2 ( S 2 2 d-l) 7l log g 2 2 2 d 

t k > dL lo S(2a-D "J - 1 > d los <- 2d -i) "- 1 - 1 > 1 > 1 

d d 


Since d= 2^1 1 , we get: 


Since e is a fixed positive constant, the mapping n i— ► , has an infinite limit. 

2 1 r 1 

Therefore: 3n e r > 0 : Vn > n e T — — > r H — ^ . 

’ ’ 2 1 r 1-1 n 

Remember that we early required n > 2 d — 1 in order to use Theorem 0 If we set 
n C)T := max(2d — l,n e>T ) then: 


Vn > n e , T 


n k <n 

tk > m 1_e > t 


It remains to argue about 4- Since n k < n, we have: 4 < n log 2 ( 2 rf - L ) . Since d is 
independent from n, 4 is upper bounded by a polynomial in n. □ 
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The previous theorem claims that for any fixed e, if n is chosen large enough then we 
can t-privately compute fc for any t = 0(n 1_e ). Such an asymptotic survey is also 
performed in q. However, in practical applications, the number of participants is not 
asymptotically large. The deterministic construction by Desmedt et al. has polynomial 
cost when t = O(logn). We now present a result valid for any group size n which 
guarantees privacy for larger t’s than in Q using polynomial communication as well. 

Theorem 5. For any positive integer n no smaller than 3, there exists a black-box pro- 
tocol for fa which is ( " 2 ' 3 ] — l)-private. It requires the n participants to exchange 
0(n 6 ) group elements. Moreover, there is a deterministic polynomial time algorithm to 
construct the protocol. 

Proof. We set d = 2 and k := |_log 3 (n)J . The protocol obtained using Theorem 0 has 

parameter t k > ^—rr 1 and n*, < n. We have: B -2 = 3. Therefore: Ik < - — j— — ■ 

Thus, we obtain: n^l = 0(n 6 ). □ 

5 Conclusion and Open Problems 

In this paper, we first demonstrated that we could construct a probabilistic t-private 
protocol computing the n-product function over any non- Abelian group for any t up to 
2 ^ (for any fixed positive e), thus nearly matching the known upper bound [ kf\ — 1 . 
As the communication complexity of our construction is 0(n 3 ) group elements, this 
result answers one of the questions asked by Desmedt et al. concerning the largest col- 
lision resistance achievable with an admissible PDAG of size polynomial in n. Note that 
Desmedt et al. indicated the discovery of a construction for ( n , t) = (24, 11) improving 
locally their own theoretical bound 2 g 48 since 11 w 2 . Our result demonstrates the 

existence of such a construction for any fixed positive e (in Q, we have the particular 
case e = 0.182). Since the scheme developed in Q (exclusively valid for t < 2 y 48 ) 
only requires 0(n t 2 ) elements to be exchanged, a direction to further investigate is the 
existence of a (randomized) t-private protocol for any t < \^] — 1 having at most the 
cost of Desmedt et al.’s scheme. 

Second, we showed that it was possible to construct a deterministic t-private n-party 
protocol to compute fa having a polynomial communication cost for any t = 0(n 1-e ). 
For practical purpose, one may want to optimize the choice of parameters in our con- 
struction. For example, we have proved that one could t-privately compute fc for any 
( t , n) satisfying f < |" n °^ ] — 1- 

Desmedt et al. argued that the reduction from a protocol computing the n-product 
to a subroutine computing the shared 2-product extended to the more general function 
fa(xi, ... , x m ) := x\ ■ X 2 ■ ■ ■ ■ ■ x m where m>n and each of the n parties holds one 
or more input values. This ensured the validity of their protocol to securely compute fc 
as well. Since the constructions that we presented are particular admissible PDAGs, our 
results are also valid to compute fc- 

Our work leads to the following two questions. First, is it possible to reduce the 
communication cost when t = 0(n 1-e )? Second, can we generalize this approach to 
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design a deterministic polynomial communication cost algorithm for any t up to the 
threshold ["§] — 1? 

Apart from the previous points which constitute directions to improve the security 
for the passive adversary model, a problem which requires attention is the possibility 
of achieving secure computation of fa against malicious parties. Indeed, even if mul- 
tiparty computation can be used with small groups (as in the case of the Millionaires’ 
problem ES), the general purpose is to enable large communication groups to perform 
common computations and the larger the number of parties is, the more likely (at least) 
one of them will deviate from the given protocol. 
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A Proof of Proposition El 

Let / be a (d, — 1) -color subset of [2 d— 1], In Q, Desmedt et al. demonstrated that 
there were a /-avoiding top-bottom path and a /-avoiding right-left path in Q tri (i\,t{). 
They also showed that those two paths were straight lines. Thus, one can remove the 
diagonal edges of Gtri{£ i, ^i) while preserving those paths. This means that there exist 
a /-avoiding top-bottom path and a /-avoiding right-left path in Grec(^i) which are 
straight lines. 

Since B is a -(Bd + 1) X ( Bd + l)-copy of Grec(^i) and, due to the vertical/horizontal 
connections of these copies, we deduce that there are (Bd + 1) /-avoiding top-bottom 
paths and (Bd + 1) /-avoiding right-left paths in B. Moreover, each of these paths is a 
straight line. 

B Connection of Color Avoiding Paths 

It was shown in the proof of Theorem 0 that each block B Ci had B,i horizontal and Bd 
vertical I Ci -avoiding paths. In this appendix, we show how to construct a /-avoiding 
top-bottom path in Grec(£k+i)- Our path will start at the top of B Vl and ends at the 
bottom of B Vm . 

Every grid from the family (Grec (^a))x>i is a square grid. Thus, the sequence of 
blocks B Vl , . . . , B Vm in G re c(^k+i) is determined by the position of B Vl as well as the 
m-tuple of letters from {£, 91, T, 93} (£eft, flight. Top, [Bottom) indicating the output 
side of the block B Vi for i £ \m ] . Note that the last letter of the tuple is always 93 since 
the /-avoiding top-bottom path ends at the bottom of B Vrn . 

This tuple has the property the two consecutive letters cannot be opposite to each 
other (i.e, one cannot have (£, 93) , (93, £) , (T, 23) or (93, T)). This means that you leave 
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a block on a different side that you entered it. The reader can check the correctness of 
this claim by a simple recursive process on the parameter k. This property is trivially 
true for k = 1 since Grec(fi) = Gtri (M ) ■ The recursion follows from the path construc- 
tion that we will design below. 

Proposition 4. Let i be any element of [m], Assume that Af is any node on a side of 
B Vi belonging to a I Ci -avoiding straight line path. For each other side of B Vi , we 
can construct a I Ci -avoiding path from A f to any of the ( Bd + 1) nodes on 6,; belonging 
to a I Ci -avoiding straight line path. 

Proof. We only provide a proof when A f is on the top side of B Vi (the three other 
cases are similar). The three possible output sides are *8, £ and 9t. The block B Vi is 
a -(Bd. + 1) x (Bd + l)-copy of the original grid Grec(fi)- Thus, B Vi can be treated as a 
(Bd + 1) x (Bd + 1) array of grids Grec(f i)- Based on this observation, we will use the 
terminology grid-row (respectively grid-column) to denote a set of Bd + 1 horizontal 
(respectively vertical) grids Grec(fi) in B Vi . 

1. S i = *B. The vertical /(--avoiding path starting at node AT intersects the hori- 
zontal I Ci -avoiding path located within the bottom grid-row of B Vi at node I. That 
horizontal path intersects each of the Bd + 1 vertical I Ci -avoiding paths (one within 
each grid-column) at Zi , . . . , 1b <i+i . Note that X = X, t for some p € [Bd + 1], Once we 
are at one of the Lj ’s, we simply go vertically downwards to the node Afj located at the 
bottom side of the block B Vi . 

Thus, we can construct a path from Af to each of the Bd + 1 output nodes on 
the bottom side of B Vj belonging to the vertical I Ci -avoiding paths. Those paths are 
(Af , 2", Ij , Afj) for j e [Bd + 1] . 

2. S i = The vertical I Ci -avoiding path starting at node Af intersects the horizon- 
tal I Ci -avoiding path located within the top grid-row of B Vi at node I. That horizontal 
path intersects the vertical I Ci -avoiding path located within the rightmost grid-column 
of B Vi at node I. This vertical path intersects each of the B c i + 1 horizontal I Ci -avoiding 
paths (one within each grid-row) at 2) , , ie d +\ ■ As before, we get: 1 = 1^ for some 
p £ [Bd + 1] ■ Once we are at one of the T/s, we horizontally go rightwards to the node 
Afj located on the right hand side of the block B Vi . 

Thus, we can construct a path from Af to each of the B,i + 1 output nodes on the 
right hand side of B Vj belonging to the horizontal I Ci -avoiding paths. Those paths are 
(AT, F, T, Af^) for j£[B d + \], 

3. &j = £ . This is analogous to the previous case. □ 

We can finally construct a /-avoiding top-bottom path in Greff k+i) ■ We denote the 
ra-tuple of output sides as (Si, . . . , S m ). As previously said, we have: S m = *8. 

We start at any node Ay located on the top side of B Vl and on a vertical J Cl -avoiding 
path. Using Proposition^ we can connect Ni to any of the Bd+ 1 nodes on side Si 
of B Vl using a J Cl -avoiding path. An important remark is that each block of the whole 
grid Grec(fk+\) is a set of (B,t + 1) x (Bd + 1) identical copies of Grec(fi) (including 
the coloring). As a consequence, these Bd + 1 nodes have the same location in their 
respective copies of Grec(f\)- Given the connection process between any pair of blocks 
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within GrecUk+i), one of these B,i + 1 nodes must be connected to a node iV 2 from 
block B V2 belonging to a I C2 -avoiding straight line path. Similarly, AT 2 is connected via 
a I C2 -avoiding path in B V2 to a node N3 from B V3 belonging to a I C3 -avoiding straight 
line path. If we repeat this process for each of the remaining blocks, we obtain a set of 
771 — 1 nodes Ni, , N m _ 1. The last node N m _ 1 can be connected to a node N m on 
the bottom side of B Vm using a I Cm -avoiding path. Thus, Ni (top side of GrecUk+i)) is 
connected to N m (bottom side of Grec(tk+i)) using a /-avoiding path which achieves 
the demonstration of our theorem. 

Remark: As claimed above, this construction involves that the two consecutive side 
letters of the m-tuple cannot be opposite to each other. 
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Abstract. In the 1940’s, Shannon applied his information theory to 
build a mathematical foundation for classical cryptography which stud- 
ies how information can be securely encrypted and communicated. In 
the internet age, Turing’s theory of computation has been summoned 
to augment Shannon’s model and create new frameworks, under which 
numerous cryptographic applications have blossomed. Fundamental con- 
cepts, such as “information” and “knowledge transfer” , often need to be 
re-examined and reformulated. The amalgamation process is still on- 
going in view of the many unsolved security issues. In this talk we give 
a brief overview of the background, and discuss some of the recent de- 
velopments in complexity-based cryptography. We also raise some open 
questions and explore directions for future work. 
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Abstract. We study the security of the widely deployed Secure Ses- 
sion Layer/Transport Layer Security (TLS) key agreement protocol. Our 
analysis identifies, justifies, and exploits the modularity present in the 
design of the protocol: the application keys offered to higher level appli- 
cations are obtained from a master key, which in turn is derived, through 
interaction, from a pre-master key. 

Our first contribution consists of formal models that clarify the se- 
curity level enjoyed by each of these types of keys. The models that we 
provide fall under well established paradigms in defining execution, and 
security notions. We capture the realistic setting where only one of the 
two parties involved in the execution of the protocol (namely the server) 
has a certified pubhc key, and where the same master key is used to 
generate multiple application keys. 

The main contribution of the paper is a modular and generic proof 
of security for the application keys estabhshed through the TLS proto- 
col. We show that the transformation used by TLS to derive master 
keys essentially transforms an arbitrary secure pre-master key agree- 
ment protocol into a secure master-key agreement protocol. Similarly, 
the transformation used to derive application keys works when applied 
to an arbitrary secure master-key agreement protocol. These results are 
in the random oracle model. The security of the overall protocol then 
follows from proofs of security for the basic pre-master key generation 
protocols employed by TLS. 

1 Introduction 

The SSL key agreement protocol, developed by Netscape, was made publicly 
available in 1994 0 and after various improvements |2f)j| has formed the bases 
for the TLS protocol m 03 which is nowadays ubiquitously present in secure 
communications over the internet. Surprisingly, despite its practical importance, 
this protocol had never been analyzed using the rigorous methods of modern 
cryptography. In this paper we offer one such analysis. Before describing our 
results and discussing their implications we recall the structure of the TLS pro- 
tocol (Figured). The protocol proceeds in six phases. Through phases (1) and 
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(2) parties confirm their willingness to engage in the protocol, exchange, and 
verify the validity of their identities and public keys (it is assumed that at least 
one party (the server) possess a long term public /private key pair (PKs, SKb), 
as well as a certificate sig CA (PK B ) issued by some certification authority CA). 
The next four phases, which are the focus of this paper, are as follows. 

(3) A pre-master secret s G «Spms is obtained using one of a number of proto- 
cols that include RSA based key transport and signed Diffie-Hellman key 
exchange (which we describe and analyze later in the paper). 

(4) The pre-master secret key s is used to derive a master secret m £ Sms, 
with m = G(s, rA, t\b)- Here r A , rn are random nonces that the two parties 
exchange and G is a key derivation function. The obtained master secret 
key is confirmed by using it to compute two MACs of the transcript of the 
conversation which are then exchanged. 

(5) In the next phase the master key m is used to obtain one or more appli- 
cation keys: for each application key, the parties exchange random nonces 
tia and ns and compute the shared application key via k = k' || k" «— 
H(m,nA,riB)- Here, H is a key derivation function. Notice, that each ap- 
plication key is actually two keys: one for securing communication from the 
client to the server, and one from the server to the client. This is important 
to prevent reflection attacks. 

(6) Finally the application keys are used in an application (and we exhibit one 
possible use for encrypting some arbitrary messages). We emphasise that 
many applications can use the same master key by repeated application of 
Steps 5 and 6. 

The proper use of keys in this last stage had been the object of previous studies (3, 
E3 and is not part of our analysis. 

An interesting aspect of TLS is that the protocols used to obtain the pre- 
master secret in Step (3) are very simplistic and on their own insecure in the 
terms of modern cryptography. It is the combination of step (3) with those in 
(4) and (5) which leads (as we show in this paper) to secure key agreement 
protocol in the standard sense. Broadly speaking, our goal is to derive sufficient 
security conditions on the pre-master key agreement protocol which would ensure 
that the above combination indeed yields a secure key-agreement protocol in a 
standard cryptographic sense. 

We caution that in our analysis we disregard steps (1) and (2), and therefore 
assume an existing PKI which authenticates all public keys in use in the system. 
In particular we do not take into account any so-called PKI attacks. 

Models. Much of the previous work on key agreement protocols in the provable 
security community has focused on defining security models and then creating 
protocols which meet the security goals of the models. In some sense, we are taking 
the opposite approach: we focus on a particular existing protocol, namely TLS, 
and develop security models that capture the security levels that the various keys 
derived in one execution of the protocol enjoy. The path we take is also motivated 
by the lack of models that capture precisely the security of these keys. 
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Fig. 1 . A general TLS like protocol 


A second important aspect of our approach is that unlike in prior work on key- 
agreement protocols, we do not regard the protocol as a monolithic structure. In- 
stead, we identify the structure described above and give security models for each 
of the keys that are derived in the protocol. A benefit that follows from this mod- 
ular approach is that we split the analysis of the overall protocol to the analysis 
of its components, thus making the task of proving security more manageable. 

We first provide a model for pre-master key agreement protocols. The model is 
a weakened version of the Blake-Wilson, Johnson and Menezes (BJM) model 
In particular we only require that pre-master key agreement protocols are secure 
in a one-way sense (the adversary cannot recover the entire established key), and 
that the protocol is secure against man-in-the-middle attacks. In addition, unlike 
in prior work, we model the realistic setting where only one of the parties involved 
in the protocol is required to possess a certified public key. 

Next, we give a security model for master-key agreement protocols which 
strengthens the one described above. We still only require secrecy for keys in 
the one-wayness sense, but now we ask for the protocol to also be secure against 
unknown-key-share attacks. In addition, we introduce key-confirmation as a re- 
quirement for master keys. 

Finally, via a further extension, we obtain a model for the security of key 
agreement protocols. Our model for application key security is rather standard, 
and resembles the BJM model: we require for the established key to be indis- 
tinguishable from a randomly chosen one, and we give the adversary complete 
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control over the network, and various corruption capabilities. Our model explic- 
itly takes into consideration the possibility that the same master key is used to 
derive multiple application keys. 

Security analysis of the TLS handshake protocol. Based on the models 
that we developed, we give a security proof for the TLS handshake protocol. In 
particular, we analyze a version where the MAC sent in step 4 is passed in the clear 
(and not encrypted under the application keys as in full TLS.) It is intuitively clear 
that the security of the full TLS protocol follows from our analysis. While a direct 
analysis of the latter may be desirable we choose to trade immediate applicability 
of our results to full TLS for the modularity afforded by our abstraction. 

Our proof is modular and generic. Specifically, we show that the protocol 
(IT; MKDssi_(Mac, G)) obtained by appending to an arbitrary pre-master key 
agreement protocol IT the flows in phase (4) of TLS is a secure master-key 
agreement protocol in the sense that we define in this paper. The result holds 
provided that the message authentication code used in the transformation is 
secure and the hash function in the construction is modeled as a random oracle. 
Similarly, we show that starting from an arbitrary secure master-key agreement 
protocol IT, the protocol (IT; AKssl(TT)) obtained by appending the flows in 
phase (5) of TLS is a secure application-key agreement protocol (provided that 
H is modeled as a random oracle). 

An important benefit of the modular approach that we employ surfaces at 
this stage: to conclude the security of the overall protocol it is sufficient to show 
that the individual pre-master key agreement protocols of TLS are indeed secure 
(in the weak sense that we put forth in this paper). The analysis is thus more 
manageable, and avoids duplicating and rehashing proof ideas, which would be 
the case if one was to analyze TLS in its entirety for each distinct method for 
establishing pre-master keys. 

Impact on practice. An implication of practical consequence of our analysis 
concerns the use of encryption for implementing the pre-master key agreement 
protocol of TLS. Currently, the RSA key transport mode of TLS uses a ran- 
domized padding mechanism to avoid known problems with vanilla RSA. The 
original choice was the encryption scheme from PKCS-vl.O. The exact choice 
is historic, but in modern terms was made to attempt to create an IND-CCA 
encryption scheme. It turns out that the encryption scheme from PKCS-vl.O is 
not in fact IND-CCA secure. This was exploited in the famous reaction attack 
by Bleichenbacher 0 on SSL, where invalid ciphertext messages were used to 
obtain pre-master secret keys. Our analysis implies that no randomized padding 
mechanism is actually needed, as deterministic encryption suffices to guarantee 
the security of the whole protocol. 

Importantly, our models do capture security against reaction attacks as long 
as the full behaviour of the protocol is specified and analyzed. The key aspect is 
that the analysis should include the behaviour of the parties when the messages 
that they receive do not follow the protocol (e.g. are malformed). Our analysis 
of the premaster key agreement based on encryption schemes (e.g. that based on 
RSA) considers and thus justifies the validity of the patch proposed to cope with 


A Modular Security Analysis of the TLS Handshake Protocol 


59 


reaction attacks, i.e. by ensuring that the execution when malformed packages 
are received is indistinguishable from honest executions. 

Our models can be used to explicitly capture one-way and mutual authentica- 
tion via public-key certificate information. We do not model variants of the stan- 
dard TLS protocol which can include password-based authentication or shared 
key-based techniques. We leave these extensions for future work. 

It is important to observe that our model does not require that the application 
keys satisfy a notion of key-confirmation (as we require for the master-keys). 
Indeed, the TLS protocol does not ensure this property. However, one may obtain 
implicit key confirmation through the use of such keys in further applications. In 
some sense, this loss is a by-product of the way we have broken up the protocol. 
One of our goals was to show what security properties each of the stages provides, 
and therefore we modeled and analyzed the security of the application keys. 
However, if one considers Stages 1-4 as the key agreement protocol, and stages 
5-6 as the application where the keys are used, then one does obtain an explicit 
notion of key confirmation. Hence, the loss of explicit key confirmation in Stage 
5 should not be considered a design flaw in TLS. 

On the use of the random oracle model. In our proofs we assume that 
the key derivation function is a random oracle, i.e. an idealized randomness ex- 
tractor. As such, the typical disclaimer associated to proofs in the random oracle 
model certainly applies, and we caution against over optimism in their interpre- 
tation. A natural and important question is whether a standard model analysis 
is possible, ideally, assuming that the key derivation function is pseudorandom 
(as is the function based on HMAC used in the current specification of TLS). 
Unfortunately, indirect evidence indicates that such a result is extremely hard to 
obtain. As observed by Jonsson and Kaliski in their analysis of the use of RSA in 
TLS 0 , the use of the key derivation function in TLS is akin to the use of such 
functions in deriving DEM keys under the KEM/DEM paradigm 0- It is thus 
likely that a proof as above would immediately imply an efficient RSA-based 
encryption scheme secure in the standard model, thus solving a long-standing 
open question in cryptography. 

Related Work. The work which is closest with ours is the analysis of the 
use of RSA in TLS by Jonsson and Kaliski 0 . They consider a very simplified 
security model for the master secret key, for the particular case when the protocol 
for premaster key is based on encryption. We share the modeling of the key 
derivation function as a random oracle, and the observation that deterministic 
encryption may suffice for a secure premaster key had also been made there. 
However, the present work uses a far more general and modular model for key- 
exchange, analyzes several pre-master key agreement protocols, including one 
based on DDH which is offered by TLS. 

Other analyses of the TLS protocol used Dolev-Yao models, where ideal secu- 
rity of the underlying primitives is postulated, and thus no guarantees are offered 
for the more concrete world. Such analyses include the one carried out by Mitchel, 
Shmatikov, and Stern 123] using a model checker, and the one of Paulson who used 
the inductive method ■ Wagner and Schneier analyze various security aspects 
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of SSL 3.0 0 , but their treatment is informal. Finally, Bellare and Namprem- 
pre 0, and Krawczyk 0 study how to correctly use the application keys derived 
via TLS. Their treatment is focused exclusively on the use of keys, and is not con- 
cerned with the security of the entire key agreement protocol. 

The first complexity theoretic model for key agreement was the Bellare- 
Rogaway (BR) model 0 Q . The main driving forces of this model were the works 
of [8, lj] ■ Since the initial work of Bellare and Rogaway there have been a number 
of other models proposed for key-exchange in various applications and environ- 
ments 0, 0, 0, lil lTrl HI Ili . HI J22, EH . These models can be loosejy categorised 
into two main groups: those that use simulation based techniques 0, EH, and 
those closer to the original BR model that use an indistinguishability based ap- 
proach 0000 . As explained before, our analysis uses a model that falls in 
the latter category which, as argued elsewhere (101 , has certain drawbacks but also 
several important benefits over the simulation based approach. Certainly, our gen- 
eral understanding of TLS would benefit from an analysis in a simulation based 
model, especially one that guarantees compositionality jlj|. However, in such set- 
tings care must be taken on the use of the UC session identifiers which must be 
unique and predetermined. Furthermore, multiple sessions of TLS use the same 
long term secret keys which is a setting inherently difficult to handle in the UC 
framework. The joint state UC theorem 0 a technical tool sometimes useful in 
such situations does not apply to encryption (as used by encryption based pre- 
master key derivation) . Furthermore, applying the JUC theorem to protocols that 
use signatures it requires signing messages/session identifier pairs, thus obtaining 
an analysis of a related but different protocol. 

Some aspects of other indistinguishability-based models relevant to our work 
are the following. In 0 entity authentication and authenticated key distribution 
are considered in the two-party symmetric key case where users are modeled as 
message driven oracles. The adversary in this case acts as the communications 
channel between users. To define security, the notions of an “error-free history” 
of 0 and of “matching protocol runs” from 0 are made formal in 0 using the 
notion of a matching conversation. We use this notion in our definitions. 

Various security attributes are then included in the definition of security by 
allowing the adversary to make corresponding queries such as Reveal queries. In 
0 this was developed to model the three party symmetric key case for entity 
authentication and key distribution. The models most relevant to our work are 
the Blake-Wilson, Johnson and Menezes (BJM) based models 000. The 
BJM model of 0 extended the BR model, to authenticated key agreement (AK) 
and authenticated key agreement with key confirmation (AKC) in the public key 
case. The work of 0 uses the notion of a No-Matching condition 0 , to define a 
clearer separation between AK and AKC protocols and deals with Diffie-Hellman 
(DH) like protocols. Our execution models are inspired by the BJM model (while 
our security definitions are different.) 

Following on from this 0 deals with the case of key transport using public 
key encryption (PKE) and key agreement using DH key agreement with digital 
signatures (DSS). In (23] a modular proof technique was used in a modified BJM 
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model to prove security of key agreement protocols relative to a gap assumption. 
Indeed, the idea of transforming a one-way security definition into an indistin- 
guishability definition occurs also in the generic transform proposed by Kudla 
and Paterson 00 and our techniques are very similar to theirs. 

Finally, an important security model that is related to ours is that of Canetti 
and Krawczyk (CK) 0- In addition to the corruption capabilities that we 
consider, the CK model allows the adversary to obtain the entire internal state 
of a session and in particular the ephemeral secrets used in sessions. As pointed 
out by Choo et al. this type of query is the only essential difference between 
the adversarial capabilities in the model of Bellare and Rogaway and that of 
Canetti and Krawczyk (see Table 2 of mi)- Clearly, our analysis does not offer 
guarantees in the face of such extremely powerful types of adversaries and in 
fact it can be easily seen that under such attacks the TLS version that uses the 
DDH-based premaster secret key agreement is insecure. It may be possible that 
one can demonstrate security of TLS under such stronger attacks by assuming 
secure erasures as done for similar protocols mm. 

By adopting the style of the BR models over the style of the CK model we 
also avoid some of the idiosyncrasies of the latter related to the use of session 
identifiers (which need to be unique, and somehow agreed upon in advance by 
participating parties) mm . For a further discussion on the use of identifiers 
in the CK model versus the BR model see Ill- 

One other aspect of 0 which is somewhat related to our work is a modular 
framework for designing protocols. In the model of 0 one can first develop 
a secure protocol under the powerful assumption that all communication is au- 
thenticated. Then, a secure protocol in the more realistic setting with no authen- 
ticated communication is obtained by applying a generic transformation using 
an authenticator. Obviously, the modular structure of TLS that we observe and 
exploit is of a different nature. In particular it does not seem possible to regard 
TLS as the result of applying an authenticator to some other protocol. 

2 A Generic Execution Model for Two-Party Protocols 

The security models that we use in this paper are based on the earlier work 
of Bellare et al. Hi ill, as refined by BJM ||. In this section we give a 
general description of the common features of these models, and recall some of 
the intuition behind them. Later, we specialise the general model for the different 
tasks that we consider in the paper. 

Registered and unregistered users. We model a setting with two kinds of 
users: registered users (with identities in some set U) and non-registered user (with 
identities in some set U'). Each user U eU has a long-term public key PKjy and a 
corresponding long term private key SKy. The set U is intended to model the set of 
servers in the standard one-way authentication mode of TLS, the set of identities 
U' models users that do not have a long term public/private key pair. 

Models for interactive protocols execution. We are concerned with 
two-party protocols: interactive programs in which an initiator and a responder 
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communicate via some communication channel. Each of the two parties runs 
some reactive program: each program expects to receive a message from the 
communication channel, computes a response, and sends this back to the chan- 
nel. We refer to one execution of the program for the initiator (respectively, 
responder) as an initiator session (respectively, a responder session). Each party 
may engage in multiple, concurrent, initiator and responder sessions. 

As standard, we assume an adversary in absolute control of the communication 
network: the adversary intercepts all messages sent by parties, and may respond 
with whatever message it wants. This situation is captured by considering an ad- 
versary (an arbitrary probabilistic, polynomial-time algorithm) who has access to 
oracles that correspond to some (initiator or responder) sessions of the protocol 
which the oracle maintains internally. In particular, each oracle maintains an in- 
ternal state which consists of the variables of the session to which it corresponds, 
and additional meta- variables used later to define security notions. In our descrip- 
tions we typically ignore the details of the local variables of the sessions, and we 
omit a precise specification of how these sessions are executed. Both notions are 
standard. The typical met a- variables of an oracle O include the following. Variable 
to e {0, 1}* LI {T} that maintains the transcript of all messages sent and received 
by the oracle, and occasionally, other data pertaining to the execution. Variable 
roleo G {initiator, responder, _L} records the type of session to which the oracle 
corresponds. Variable pid 0 G U keeps track of the identity of the intended partner 
of the session maintained by O. Variable 60 indicates whether the session had fin- 
ished successfully, or unsuccessfully. We specify the values that this variable takes 
later in the paper. Finally, variable 7 o € {_L, corrupted} records whether or not 
the session had been corrupted by the adversary. 

After an initialisation phase, in which long term keys for the parties are gener- 
ated the adversary takes control of the execution which he drives forward using 
several types of queries. The adversary can create a new session of user U play- 
ing the role of the initiator /responder by issuing a query NewSession(U, role), 
with role G {initiator, responder}. User U can be either registered or unregis- 
tered. We write 17/ r for the f th session of user U . To any oracle O the adversary 
can send a message msg using the query Send(C>, msg). In return the adversary 
receives an answer computed according to the session maintained by O. The 
adversary may also corrupt oracles. Later in the paper when we specialise the 
general model, we also clarify the different versions of corruptions that can oc- 
cur and how are they handled by the oracles. The execution halts whenever the 
adversary decides to do so. 

To identify sessions that interact with each other we use the notion of matching 
conversations introduced by Bellare and Rogaway (which essentially states that the 
inputs to one session are outputs of the other sessions, and the other way around) 0 ■ 

3 Pre-master Key Agreement Protocols 

In this section we specialise the general model described above for the case of 
pre-master key agreement protocols, and analyze the security of the pre-master 
key agreement protocols used in TLS. 
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As discussed in the introduction, the design of our models is guided by the 
security properties that the various subprotocols of TLS satisfy. In particular, 
we require extremely weak security properties for the pre-master secret key. 
Specifically, we demand that an adversary is not able to fully recover the key 
shared between two honest parties. In its attack the adversary is allowed to 
adaptively corrupt parties and obtain their long term secret key, and is allowed 
to check if a certain string s equals the pre-master secret key held by some honest 
session. The latter capability models an extremely limited form of reveal queries: 
our adversary is not allowed to obtain the pre-master secret key of any of the 
sessions, but can only guess (and then check) their values. 

The formal model of security for pre-master key agreement protocols extends 
the general model in Section El and makes only mild assumptions regarding the 
syntax of such protocols. Specifically, we assume that the pre-master key be- 
longs to some space Spms- This space is often the support set of some mathe- 
matical structure such as a group. We require that if t is the security parameter 
then #5 pms > 2*. Furthermore, we assume that the initiator and responder 
programs use a variable s £ «Spms U {_L} that stores the shared pre-master 
key. The corresponding variable stored by some oracle O is so- For pre-master 
secret key agreement protocols the internal variable So stores one of the fol- 
lowing values: T (the session had not finished its execution), accepted-pmk (the 
session had finished its execution successfully (which in particular means that 
so holds some pre-master session key in <Spms) or rejected (the session had 
finished its execution unsuccessfully). Unless So = accepted-pmk we assume 
so =T. 

The corruption capabilities of the adversary discussed above are modeled 
using queries Corrupt and Check formally defined as follows. When the adversary 
issues a query Corrupt(U) the following actions take place. If U £ U then SK^ 
is returned to the adversary, and we say that party U had been corrupted. In 
all sessions O = Ilf, for some i 6 N the value of 7 o is set to corrupted and 
no further interaction between these oracles and the adversary may take place. 
Additionally, no further queries NewSession (U, role) are permitted. 

When the adversary issues the query Check(0, s), for O = Ilf, i £N,U some 
uncorrupted party, and s £ iSpms, then the answer returned to the adversary 
is true, if So = accepted-pmk and so = s, and false otherwise. When a given 
oracle is initialized all values for the internal states are set to T. At the end of 
a protocol, the role, partner ID, and oracle state (but not the pre-master key) 
are recorded in the transcript. 

The following definition captures the class of oracles which are valid targets 
for the attacker using the notion of “fresh oracles” . These are uncorrupted ora- 
cles who have successfully finished their execution, and have a known intended 
partner who is also not corrupted. 

Definition 1 (Fresh Pre- Master Secret Key Oracle). A pre-master secret 
oracle O is said to be fresh if all of the following conditions are satisfied: 

(1) lo =T, (2) So = accepted-pmk, and (3) 3 V £ U such that V is 
uncorrupted and pid G = V. 
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Security game for pre-master key agreement protocols. We define 
the security of a pre-master key agreement protocol 77 via the following game 
Exec°^ PMS (t) between an adversary A and a challenger C: 

(1) The challenger, C, generates public/secret key pairs for each user U G 77 (by 
running the appropriate key-generation algorithm on the security parameter 
t), and returns the public keys to A. 

(2) Adversary A, is allowed to make as many NewSession, Send, Check, and 
Corrupt queries as it likes. 

(3) At some point A outputs a pair (O* , s*), where O* is some pre-master 
secret oracle, and s* £ 5pms- 

We say the adversary A wins if its output ( 0*,s *) is such that O* is fresh, and 
s* = so *■ In this case the output of Exec° v ^ PMS (i) is set to 1. Otherwise the 
output of the experiment is set to 0. We write 

Adv° w / MS (i) = Pr[ExecS W / MS (i) = 1J, 

for the advantage of A in winning the Exec° v ^ PMS (t) game. The probability is 
taken over all the random coins used in the game. We deem a pre-master secret 
key protocol secure if the adversary is not able to fully compute the key held by 
fresh oracles. 

Definition 2 (Pre- Master Key Agreement Security). A pre-master key 
agreement protocol is secure if it satisfies the following requirements: 

• Correctness: If at the end of the execution of a benign adversary, who cor- 
rectly relays messages, any two oracles which have had a matching conversa- 
tion hold the same pre-master key, and the key should be distributed uniformly 
on the pre-master key space iSpms- 

• Key Secrecy: A pre-master key agreement protocol 77 satisfies OW-PMS 
key secrecy if for any p.p.t. adversary A its advantage Adv° v '() PMS (t) is a 
negligible function. 

Before proceeding, we discuss the strength of our model for the security of pre- 
master secret keys, and several authentication issues. 

Remark 1 . Our security requirements for pre-master secret key agreement are 
significantly weaker than the standard requirements for key exchange 0, 0] ■ In 
particular, we only require secrecy in the sense of one-wayness (not in the sense 
of indistinguishability from a random key). Furthermore, the corruption abilities 
of the adversary are severely limited: the adversary cannot obtain (or “reveal” ) 
pre-master secrets established by honest parties (even if these parties are not 
those under the attack). 

Remark 2. As a consequence of our security requirements our model may 
deem protocols that succumb to unknown-key-share attacks 0 secure. In such 
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attacks, two sessions belonging to honest users U and V locally establish the 
same pre-master secret key, without intentional interaction with each other. 

Remark 3. Security under our notion guarantees security against man-in-the- 
middle attacks: a situation where honest parties U and V believe they interact 
with each other but their pre-master key(s) is in fact shared with the adversary 
is a security break in our model. 

Remark 4. Although the resulting security notion is very weak, it turns out 
that it suffices to obtain good master-key agreement protocols by appropriately 
designed protocols to derive such keys (e.g. the protocol in Step 4 of the TLS 
protocol - Figure El) More importantly, the weak notion also allows for many 
simple protocols to be proved secure. For example, in the next section we prove 
that deterministic encryption is sufficient to construct such protocols. 

Remark 5. Our model is not concerned with secure establishment of pre-master 
secret keys between two unauthenticated parties (the oracle that is under attack 
always has pid 0 ^ _L). While treating this case is possible using the concept of 
matching conversations to pair sessions, the resulting definition would be heavier 
and not particularly illuminating. Instead, we concentrate on the situation more 
relevant to practice where at least one of the parties that take part in the protocol 
(the server) has a certified public key. 

Remark 6. As usual, our security model can be easily adapted to the random 
oracle model by providing the adversary with access to the random oracle (when- 
ever some hash function is modeled as a RO). The same holds true for the rest 
of the models that we develop in this paper. 

We now discuss the security of the pre-master secret key agreement protocols 
used in TLS. 

Protocols based on public- key encryption. A natural, intuitively ap- 
pealing, construction for pre-master key agreement protocols is based on the 
following use of an arbitrary public-key encryption scheme Enc. A user selects 
a pre-master secret key s from an appropriate space, and sends to the server 
the encryption of s under the server’s public-key. The server then obtains s as 
the decryption of the ciphertext that it receives. We write PMK(Enc) for the 
resulting protocol. 

Theorem 1. If Enc is a OW-CPA secure deterministic encryption or a OW-CCA 
secure randomized encryption scheme, then the pre-master secret key agreement 
protocol II = PMK(Enc) is a secure pre-master key transport protocol. 

The result of this theorem, like all theorems in this paper will be proved in the 
full version. 

The weak security properties that we define for pre-master key agreement 
protocols enable us to show security of PMK(Enc) based on weak security re- 
quirements for Enc. Indeed, the one-wayness type secrecy for pre-master keys 
translates to the one-wayness of the encryption function of Enc. This result 
of our analysis implies, perhaps surprisingly, that one can avoid the use of 
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full-fledged IND-CCA encryption schemes in favor of the much simpler determin- 
istic OW-CPA schemes ( e.g . textbook RSA). Of course, probabilistic encryption 
can also be used, but in this case we show security of the associated pre-master 
secret key protocol based on OW-CCA security. More generally our results holds 
under the assumption that the encryption scheme is secure against an attacker 
with access to a plaintext checking oracle. It is therefore not paradoxical that a 
deterministic scheme suffices but an IND-CPA scheme does not. 

Finally, since IND-CCA implies OW-CCA, our security analysis does apply to 
the (correct) use of an IND-CCA secure public key encryption scheme within the 
TLS protocol. In particular, when Enc is RSA-OAEP, the pre-master secret key 
protocol PMK(Enc) is secure. 

Signed Diffie-Hellman pre-master key agreement. The pre-master se- 
cret key in TLS can also be produced by exchanging a Diffie-Hellman key g xy , 
for x and y randomly chosen by the two participants, who also sign the relevant 
message flow (either g x or g y ) with their long term signing keys. It is known that 
this protocol, which we denote by PMK(Sig,G), does not meet the requirements 
of an authenticated key agreement protocol, for example see 0 for a discussion 
of this protocol and various attacks on it. However, one can show. 

Theorem 2. Let G be cyclic group for which the gap- Diffie-Hellman assumption 
holds and let Sig be a secure digital signature scheme. Then IT = PMK(Sig,G) 
is a secure pre-master key agreement protocol. 

4 Master Key Agreement Protocols 

In this section we introduce a security model for master-key agreement protocols. 
We then show that master key agreement protocols obtained from secure pre- 
master key agreement protocols via the transformation used in TLS satisfy our 
notion of security. 

Our security model for master key agreement protocols is similar to that 
for pre-master key agreement protocols. We again ask for the adversary not 
to be able to fully recover the master secret key of the session under attack. 
Moreover, we ask for a key confirmation guarantee: if a session of some user U 
accepts a certain master-key then there exists a unique session of its intended 
partner that had accepted the same key. In addition to the queries previously 
defined for the adversary, we also let the adversary obtain the master keys agreed 
in different sessions of the protocol, without corrupting the user to which this 
session belongs, i.e. we allow so-called Reveal queries. 

In the formal model that we give below we make the following assumptions 
about the syntax of a master-key agreement protocol. We assume that the master 
key belongs to some space <Sms for which we require that #<Sms > 2*. and assume 
that the programs that specify a master key agreement protocol use a variable 
to to store the agreed master key. For such protocols the variable So now takes 
values in {_L, accepted-mk , reject} with the obvious meaning. Furthermore, the 
variable 7 o can also take the value revealed to indicate that the stored master 
key has been given to the adversary (see below). 
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In addition to the queries allowed in the experiment for pre-master key secu- 
rity, the adversary is also allowed to issue queries of the form Reveal(O). This 
query is handled as follows: if So =accepted-mk then mo is returned to A and 
7 o is set to revealed , while if So ^ accepted-mk then the query acts as a no-op. 
As before, when a given oracle is initialized all values for the internal states are 
set to _L. At the end of a protocol the role, partner ID and oracle state (but 
not the master key) are recorded in the transcript. Unless So = accepted-mk we 
assume m\j =_L. v/.‘ , 

The definition of freshness needs to be adapted to take into account the new 
adversarial capabilities. We call an oracle O fresh if it is uncorrupted, has suc- 
cessfully finished its execution, its intended partner V is uncorrupted, and none 
of the revealed oracles belonging to V has had a matching conversation with O. 
The latter condition essentially says that the adversary can issue Reveal(Q) for 
any Q (including those that belong to the intended partner of O), as long as Q 
is not the session with which O actually interacts. 

Definition 3 (Fresh Master Secret Oracle). A master secret oracle O is 
said to be fresh if all of the following conditions hold: 

(1) lo =-L. (2) So = accepted-mk, (3) 3 V £ U such that V is 

uncorrupted and pid 0 = V, and 

(4) No revealed oracle Ily has had a matching conversation with O. 

Security game for master-key agreement protocols. The game, de- 
noted by Exec°^ MS (t), for defining the security of master-key agreement proto- 
col II in the presence of adversary A is similar to that for pre-master key, with 
the modification that A is also allowed to make any number of Reveal queries, 
in addition to the NewSession, Send, Corrupt, Reveal, and Check queries. Here, 
check queries are with respect to the master secret keys only. When the adver- 
sary stops, it outputs a pair (O*, to*), where O* identifies one of its oracles, and 
m* is some element of »Sms • We say that A wins if its output ( 0*,m *) is such 
that O* is fresh and m* = mo In this case the output of Exec°^ MS (t) is set 
to 1. Otherwise the output of the experiment is set to 0. We write 

Ad v° w n MS (t) = Pr[Exec°^ MS (f) = 1] 

for the advantage of A in winning the Exec° v '^ MS (t) game. The probability is 
taken over all random coins used in the execution. 

The following definition describes a situation where some party U had engaged 
in a session which terminated successfully with some party V, but no session of 
V has a matching conversation with U. 

Definition 4 (No-Matching). Let No-Matching^ n (t) be the event that at some 
point during the execution o/Exec°^ MS (t) for two uncorrupted parties U £ UUU' 
and V £ U there exists an oracle O = 77^ with pid 0 = V £U, So = accepted, 
and yet no oracle Ily has had a matching conversation with O. 

The following definition says that a protocol is a secure master-key agreement 
protocol if the key established in an honest session is secret (in the one-wayness 
sense) and no honest party can be coaxed into incorrectly accepting. 
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Definition 5 (Master Key Agreement Security). A master key agreement 
protocol is secure if it satisfies the following requirements: 

• Correctness: If at the end of the execution of a benign adversary, who cor- 
rectly relays messages, any two oracles which have had a matching conversa- 
tion hold the same master key, which is distributed uniformly over the master 
key space <Sms • 

• Key Secrecy: A master key agreement protocol II satisfies OW-MS key se- 
crecy if for any p.p.t. adversary A, its advantage Adv° v ^ MS (t) is a negligible 
function. 

• No Matching: For any p.p.t. adversary A, the probability of the event 
No-Matching^ ^(t) is a negligible function. 

Remark 1. Our security requirements for master secret keys are still signif- 
icantly weaker than the more standard requirements for key exchange pjj. 
Although the adversarial powers are similar to those in existing models (e.g.jjj]), 
we still require the adversary to recover the entire key. The weaker requirement 
is motivated by our use of TLS as guide in designing the security model. In this 
protocol, the master secret key is not indistinguishable from a random one since 
it is used to compute MACs that are sent over the network. 

Remark 2. The No Matching property we require is essentially the one based 
on matching conversations introduced by Bellare and Rogaway 0, adapted to 
our setting where only one of the parties involved in the execution is required to 
hold a certified key (and thus have a verifiable identity). One could potentially 
replace matching conversations with weaker versions of partnering, but only at 
the expense of making the definitions and results less clear. Bellare and Rog- 
away also show that if the No Matching property is satisfied, then agreement is 
injective. In our terms, with overwhelming probability it holds that if O = Ilf 
had accepted and has pid 0 = V £ U, then there exist precisely one session of V 
with which O has a matching conversation. 

Remark 3. Notice that, together, the first and third conditions in the above 
definitions imply a key confirmation guarantee: if one session has accepted a 
certain key, then there exists a unique session of the intended partner who has 
accepted the same key. 

Remark 4. The addition of Reveal queries implies security against “unknown- 
key-share” attacks: if parties U and V share a master-key without being aware 
that they interact with each other the adversary can obtain the key of U by 
performing a Reveal query on the appropriate session of V, thus breaking security 
in the sense defined above. 

Remark 5. Notice that an adversary against the master-secret key does not 
have any query that allows it to obtain information about the pre-master secret 
key. This is consistent with the SSL specification which states that the pre- 
master secret should be converted to the master secret immediately and that 
the pre-master secret should be securely erased from memory. In particular this 
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means that the pre-master secret does not form part of the state of the master 
key agreement oracle, and so it does not get written on a transcript. 

In this section we show that the master-key agreement protocol obtained from 
a secure pre-master key agreement protocol by using the transformation used 
in TLS is secure. Let 77 be an arbitrary pre-master key agreement protocol, 
G a hash function, and Mac = (/C,MAC,ver) a message authentication code. 
We write (17; MKDssi_(Mac, G)) the master-key agreement protocol obtained by 
extending II with the master-key derivation phase of TLS, i.e. by appending to 
the message flows of II those in Step 4 of Figure Q] Starting from a secure pre- 
master key agreement protocol, the above transformation yields a secure master 
key agreement protocol. 

Theorem 3. Letll be a secure pre-master agreement protocol, Mac a secure mes- 
sage authentication code, and G a random oracle. Then (IT; MKDssi_(Mac, G)) is 
a secure master-key agreement protocol. 

5 Application Key Agreement 

In this section we extend the model developed so far to deal with application keys 
obtained from master-secret keys, and the analyze the security of the application 
keys obtained through the TLS protocol. 

As discussed in the introduction we focus on protocols with a particular struc- 
ture: first, a master-key is agreed by the parties via some master-key agreement 
protocol 77, and then this key is used as input to an application key derivation 
protocol, E. The same master-key can be used in multiple executions of the 
application key protocol which can take place in parallel and concurrently. 

We capture this setting by modifying the model for master-key agreement 
protocols as follows. We consider two types of oracles: MK-oracles which corre- 
spond to sessions where the master secret key is derived (i.e. sessions of protocol 
77), and AK-oracles, which correspond to sessions of the application key deriva- 
tion protocol (i.e. sessions of E). The AK-oracles are spawned by MK-oracles 
that have established a master-secret key; spawning is done at the request of the 
adversary. The internal structure and behavior of MK-oracles are as defined in 
the previous section. To describe AK-oracles, we again impose some syntactic 
restrictions on the protocols (and thus on the oracles). We require that AK- 
oracle Q maintain variables tq . rriQ , roleg , pidg with the same roles as before. 
In addition, a new variable kq G <Sa holds the application key obtained in the 
session. (Here #<Sa > 2*, where t is the security parameter). The state variable 
Sq now assumes values in {_L, accept ed-ak, rejected}, with the obvious seman- 
tics. Finally, the corruption variable 6q is either T or compromised (we explain 
below when the latter value is set) . 

In addition to the powers previously granted to the adversary, now the adver- 
sary can also create new AK-oracles by issuing queries of the form Spawn (O), 
with O an MK-oracle that had successfully finished its execution. As a result, 
a new oracle Q = E J a is created (where j indicates that Q is the j’th oracle 
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spawned by O.) Oracle Q inherits the variables tq, mg, roleg, and pidg from 
O in the obvious way. The adversary may also compromise AK-oracles: when a 
query Compromise(Q) is issued, if Q has accepted, then kg is returned to the 
adversary and Sg is set to compromised. Notice that the Compromise queries are 
the analogue of Reveal queries for AK-oracles. We chose to have different names 
for clarity. 

The security of keys is captured via a Test query. When Test(Q) is issued, a 
bit b G {0, 1} is chosen at random. Then if b = 0 then kg . is returned to the 
adversary, otherwise a randomly selected element from Sa is returned to the 
adversary (who then has to guess b; see the game defined below). 

An AK-oracle Q is a valid target for the adversary if the parent oracle of Q 
is fresh, Q has finished successfully its execution, its intended partner, say V, is 
not corrupt, and any session of V with which Q has a matching conversation is 
not compromised. 

Definition 6 (Fresh Application Key Oracle). Let O be a master key agree- 
ment oracle and Q denote one of its children. The oracle Q is said to be fresh if 
the following conditions hold: 

(1) O is a fresh master key agreement oracle, (2) qg «JL, (3) So = 
accepted-ak , (4) 3 V G U such that pidg = V, and (5) No compromised 
session Eg> that belongs to V has had a matching conversation with Q. 

Note that here, we are implicitly assuming that knowing a master key automat- 
ically gives the adversary all derived application keys. Whilst this will not be 
true of all protocols which one can think of, it is true for all application key 
derivation protocols that we consider here and in particular in Stage 5 of the 
protocol of Figure □ 

Security game for application- key agreement protocols. We define 
the security of an application-key protocol II; E via a game Exec^^^(t) be- 
tween an adversary A and a challenger C. 

(1) C generates public-secret key pairs for each user U € U, and returns the 
public keys to A. 

(2) A is allowed to make as many NewSession, Send, Spawn, Compromise, Reveal, 
Check, and Corrupt queries as it likes throughout the game. 

(3) At any point during the game adversary A makes a single Test(<2*) query. 

(4) The adversary outputs a bit b' . 

We say that A wins if Q* is fresh at the end of the game and its output bit b 
is such that b=b' (where b is the bit internally selected during the Test query). 
In this case the result of Exec^^)^ (t) is set to 1. Otherwise the output of the 
experiment is set to 0. We write 

Adv^ } (t) = |pr[Exec^(i) = 1 ] - 1 1 

for the advantage of A in winning the Exec^^'^t) game. Using this security 
game we can now define the security of a application key agreement protocol. 
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Definition 7 (Application Key Agreement Security). An application key 
agreement protocol is secure if it satisfies the following conditions: 

• Correctness: In the presence of an adversary which faithfully relays mes- 
sages, two oracles running the protocol accept holding the same application 
key and session ID, and the application key is distributed uniformly at ran- 
dom on the application key space. 

• Key secrecy: An application key agreement protocol 77; E satisfies IND-AK 
key secrecy if for any p.p.t. adversary A, its advantage AdvJ^^^(t) is neg- 
ligible in t. 

Remark 1. The model that we develop ensures strong security guarantees for 
the application keys, in the standard sense of indistinguishability against at- 
tackers with powerful corruption capabilities. In this sense our model is close to 
existing ones, but has the added feature that we explicitly consider the setting 
where more than one application-key can be derived from the same master key. 

Remark 2. Notice that at the application key layer we do not require key 
confirmation anymore. Indeed, a trivial attack on the standard notion of key 
confirmation can be mounted against application keys derived using the TLS 
protocol. However, implicit key confirmation for application keys may still be 
achieved, depending how the application key is actually used. (In the full ver- 
sion of the paper we discuss the composition of our application key agreement 
protocol with specific applications, especially confidentiality applications.) 

The loss of this property is in some sense a result of how we chose to break 
down the protocol for analysis, since one of our goals was to identify what security 
properties each of the stages provides. However, if one considers Stages 1-4 as 
the key agreement protocol, and stages 5-6 as the application then one does 
obtain an explicit notion of key confirmation. Hence, the loss of explicit key 
confirmation in Stage 5 should not be considered a design flaw in TLS. 

In this section we show that the application-key agreement protocol obtained 
from any secure master-key derivation protocol, and the application-key deriva- 
tion protocol of TLS (Stage 5 of Figure HJ is secure. 

For any master-key agreement protocol 17, and hash function 77, we write 
(77; AKssl(77)) for the application-key agreement protocol obtained by extend- 
ing 77 with the application-key derivation protocol of TLS. Informally, this means 
that we derive an application key agreement protocol from a master key agree- 
ment protocol using Stage 5 of Figure [I] We make no assumption as to whether 
the master key agreement protocol itself is derived from a pre-master key agree- 
ment protocol as in Figure 0 The following theorem says that starting with a 
master-key agreement protocol secure in the sense of Definition 0 the above 
transformation yields a secure application key protocol. 

Theorem 4. Let 77 be a secure master-key agreement protocol and 77 a random 
oracle. Then (77; AKssl(77)) is a secure application-key agreement protocol. 

The security of TLS follows from Theorems 1, 2, 3 and 4. For full details the 
reader should consult the full version of this paper. 
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Abstract. Optimistic fair exchange (OFE) is a protocol for solving the 
problem of exchanging items or services in a fair manner between two 
parties, a signer and a verifier, with the help of an arbitrator which 
is called in only when a dispute happens between the two parties. In 
almost all the previous work on OFE, after obtaining a partial signature 
from the signer, the verifier can present it to others and show that the 
signer has indeed committed itself to something corresponding to the 
partial signature even prior to the completion of the transaction. In some 
scenarios, this capability given to the verifier may be harmful to the 
signer. In this paper, we propose the notion of ambiguous optimistic fair 
exchange (A-OFE), which is an OFE but also requires that the verifier 
cannot convince anybody about the authorship of a partial signature 
generated by the signer. We present a formal security model for A-OFE in 
the multi-user setting and chosen-key model. We also propose an efficient 
construction with security proven without relying on the random oracle 
assumption. 

1 Introduction 

Optimistic Fair Exchange (OFE) allows two parties to fairly exchange information 
in such a way that at the end of a protocol nm, either both parties have obtained 
the complete information from one another or none of them has obtained anything 
from the counter party. In an OFE, there is a third party, called Arbitrator, which 
only gets involved when a dispute occurred between the two parties. OFE is a 
useful tool in practice, for example, it can be used for performing contract signing, 
fair negotiation and similar applications on the Internet. Since its introduction j]J, 
there have been many OFE schemes proposed [2, 3, 4, 12, 13, 14, 18, 21, 23, 24], For 
all recently proposed schemes, an OFE protocol for signature typically consists of 
three message flows. The initiator of OFE, Alice, first sends a message ap, called 
partial signature , to the responder, Bob. The partial signature ap acts as Alice’s 
partial commitment to her full signature which is to be sent to Bob. But Bob needs 
to send his full signature to Alice first in the second message flow. After receiving 
Bob’s full signature, Alice sends her full signature to Bob in the third message 
flow. If in the second message flow that Bob refuses to send his full signature back 
to Alice, Alice’s partial signature ap should have no use to Bob, so that Alice has 
no concern about giving away ap. However, after Bob has sent his full signature to 
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Alice while Alice refuses to send her full signature in the third message flow, then 
Bob can ask the Arbitrator to retrieve Alice’s full signature from ap after sending 
both ap and Bob’s full signature to the Arbitrator. To the best of our knowledge, 
among almost all the known OFE schemes, there is one common property about 
Alice’s partial signature ap which has neither been captured in any of the security 
models for OFE nor been considered as a requirement for OFE. The property is 
that once ap is given out, at least one of the following statements is true. 

1. Everyone can verify that ap must be generated by Alice because ap, sim- 
ilar to a standard digital signature, has the non-repudiation property with 
respect to Alice’s public key; 

2. Bob can show to anybody that Alice is the signer of ap. 

For example, in the schemes proposed in 0,0, the partial signature of Alice 
is a standard signature, which can only be generated by Alice. In many OFE 
schemes in the literature, Alice’s signature is encrypted under the arbitrator’s 
public key, and then a non-interactive proof is generated to show that the cipher- 
text indeed contains a signature of Alice. This is known as verifiably encrypted 
signature. However, this raises the question of whether a non-interactive proof 
that a signature is encrypted is really any different from a signature itself, since 
it alone is sufficient to prove to any third party that the signer has committed 
to the message 0. 

This property may cause no concern in some applications, for example, in 
those where only the full signature is deemed to have some actual value to 
the receiving party. However, it may be undesirable in some other applications. 
Since ap is publicly verifiable and non-repudiative, in practice, ap may not be 
completely useless to Bob. Instead, ap has evidently shown Alice’s commitment 
to the corresponding message. This may incur some unfair situation, to the 
advantage of Bob, if Bob does not send out his full signature. In contract signing 
applications, this could be undesirable because ap can already be considered as 
Alice’s undeniable commitment to a contract in court while there is no evidence 
showing that Bob has committed to anything. 

In another application, fair negotiation, the property above may also be un- 
desirable. Suppose after obtaining ap from Alice on her offer, Bob may show 
it to Charlie, who is Alice’s competitor, and ask Charlie for making a better 
offer. If Charlie’s offer is better, then Bob may stop the OFE protocol run with 
Alice indicating that Bob is unwilling to conclude the negotiation with Alice, 
and instead carrying out a new OFE protocol run with Charlie. Bob can play 
the same game iteratively until that no one can give an even better offer. Then 
Bob can resolve the negotiation by sending his service (i.e. his full signature as 
the commitment to his service) to the highest bidder. 

For making OFE be applicable to more applications and practical scenarios, 
in this paper, we propose to enhance the security requirements of OFE and 
construct a new OFE scheme which does not have the problems mentioned above. 
One may also think of this as an effort to make OFE more admissible as a viable 
fair exchange tool for real applications. We will build an OFE scheme which not 
only satisfies all the existing security requirements of OFE (with respect to the 
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strongest security model available 0 ), but in addition to that, will also have 
op be not self-authenticating and unable for Bob to demonstrate to others that 
Alice has committed herself to something. We call this enhanced notion of OFE 
as Ambiguous Optimistic Fair Exchange (A-OFE). It inherits all the formalized 
properties of OFE mm and has a new property introduced: signer ambiguity. 
It requires that a partial signature ap generated by Alice or Bob should look 
alike and be indistinguishable even to Alice and Bob. 

(Related Work): There have been many OFE schemes proposed in the past 
aaammmmmm. In the following, we review some recent ones 
by starting from 2003 when Park, Chong and Siegel 0 proposed an OFE 
based on sequential two-party multi-signature. It was later broken and repaired 
by Dodis and Reyzin 0 ]. The scheme is setup- driven 00 , which requires 
all users to register their keys with the arbitrator prior to any transaction. In 
0, Micali proposed another scheme based on a CCA2 secure public key en- 
cryption with the property of recoverable randomness (i.e., both plaintext and 
randomness used for generating the ciphertext can be retrieved during decryp- 
tion). Later, Bao et al. 0 showed that the scheme is not fair, where a dishon- 
est party, Bob, can obtain the full commitment of another party, Alice, with- 
out letting Alice get his obligation. They also proposed a fix to defend against 
the attack. 

In PKC 2007, Dodis, Lee and Yum 0 considered OFE in a multi-user set- 
ting. Prior to their work, almost all previous results considered the single-user 
setting only which consists of a single signer and a single verifier (along with 
an arbitrator). The more practical multi-user setting considers a system to have 
multiple signers and verifiers (along with the arbitrator), so that a dishonest 
party can collude with other parties in an attempt of cheating. Dodis et al. 0 
showed that security of OFE in the single-user setting does not necessarily imply 
the security in the multi-user setting. They also proposed a formal definition of 
OFE in the multi-user setting, and proposed a generic construction, which is 
setup-free (i.e. no key registration is required between users and the arbitrator) 
and can be built in the random oracle model 0] if there exist one-way functions, 
or in the standard model if there exist trapdoor one-wa y p ermutations. 

In CT-RSA 2008, Huang, Yang, Wong and Susilo 0 considered OFE in 
the multi-user setting and chosen-key model, in which the adversary is allowed 
to choose public keys arbitrarily without showing its knowledge of the corre- 
sponding private keys. Prior to their work, the security of all previous OFE 
schemes (including the one in 0 ) are proven in a more restricted model, called 
certified-key (or registered-key) model, which requires the adversary to prove its 
knowledge of the corresponding private key before using a public key. In 0 , 
Huang et al. gave a formal security model for OFE in the multi-user setting 
and chosen-key model, and proposed an efficient OFE scheme based on ring sig- 
nature. In their scheme, a partial signature is a conventional signature and a 
full signature is a two-member ring signature in additional to the conventional 
signature. The security of their scheme was proven without random oracles. 
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Liskov and Micali 0 proposed an online-untransferable signature scheme, 
which in essence is an enhanced version of designated confirmer signature, with 
the extra property that a dishonest recipient, who is interacting with a signer, 
cannot convince a third party that the signature is generated by the signer. 
Their scheme is fairly complex and the signing process requires several rounds 
of interaction with the recipient. Besides, their scheme works in the certified-key 
model, and is not setup-free, i.e. there is a setup stage between each signer and 
the confirmer, and the confirmer needs to store a public/secret key pair for each 
signer, thus a large storage is required for the confirmer. 

In jlj], Garay, Jakobsson and MacKenzie introduced a similar notion for op- 
timistic contract signing, named abuse-freeness. It requires that no party can 
ever prove to a third party that he is capable of choosing whether to validate 
or invalidate a contract. They also proposed a construction of abuse- free opti- 
mistic contract signing protocol. The security of their scheme is based on DDH 
assumption under the random oracle model. Besides they did not consider the 
multi-user setting for their contract signing protocol. 

(Our Contributions): In this paper we make the following contributions. 

1 . We propose the notion of Ambiguous Optimistic Fair Exchange (Ambiguous 
OFE or A-OFE in short) which allows a signer Alice to generate a partial 
signature in such a way that a verifier Bob cannot convince anybody about 
the authorship of this partial signature, and thus cannot prove to anybody 
that Alice committed herself to anything prematurely. Realizing the notion 
needs to make the partial signature ambiguous with respect to Alice and 
Bob. We will see that this requires us to include both Alice and Bob’s public 
keys into the signing and verification algorithms of A-OFE. 

2. For formalizing A-OFE, we propose a strong security model in the multi- 
user setting and chosen-key model. Besides the existing security require- 
ments for OFE, that is, resolution ambiguitjQ, security against signers, 
security against verifiers and security against the arbitrator, A-OFE has 
an additional requirement: signer ambiguity. It requires that the verifier can 
generate partial signatures whose distribution is (computationally) indistin- 
guishable from that of partial signatures generated by the signer. We also 
evaluate the relations among the security requirements and show that if a 
scheme has security against the arbitrator and (a weaker variant of) signer 
ambiguity, then it already has (a weaker variant of) security against veri- 
fiers. 

3. We propose the first efficient A-OFE scheme and prove its security in the 
multi-user setting and chosen-key model without random oracle. It is based 
on Groth and Sahai’s idea of constructing a fully anonymous group signature 
scheme EE El and the security relies on the decision linear assumption and 
strong Diffie-Hellman assumption. 

(Paper Organization): In the next section, we define A-OFE and propose a 
security model for it. We also show some relation among the formalized security 

1 Resolution ambiguity is just another name for the ambiguity considered in El IH 
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requirements of A-OFE. In Sec. El we introduce some preliminaries which are 
used in our construction, which is described in Sec. 0 In Sec. El we prove the 
security of our scheme in the standard model, and compare our scheme with 
other two related work. 

2 Ambiguous Optimistic Fair Exchange 

In an A-OFE scheme, we require that after receiving a partial signature ap 
from Alice (the signer), Bob (the verifier) cannot convince others but himself 
that Alice has committed herself to ap. This property is closely related to the 
non-transferability of designated verifier signature and the ambiguity of 
concurrent signature □ . Similarly, we require that the verification algorithm in 
A-OFE should also take as the public keys of both signer and (designated) verifier 
as inputs, in contrast to that in the traditional definition of OFE mum 

Definition 1 (Ambiguous Optimistic Fair Exchange). An ambiguous op- 
timistic fair exchange ( A-OFE in short) scheme involves two users ( a signer 
and a verifier) and an arbitrator, and consists of the following (probabilistic) 
polynomial-time algorithms: 

— PM Gen: On input l k where k is a security parameter, it outputs a system 
parameter PM. 

— Setup TTP : On input PM, the algorithm generates a public arbitration key 
APK and a secret arbitration key ASK. 

— Setup User : On input PM and (optionally) APK, the algorithm outputs a pub- 
lic/secret key pair ( PK , SK). For user Ui, we use ( PKi , SKf) to denote its 
key pair. 

— Sig and Ver: Sig(A/, .S' A,;, PK,, PKj, APK) outputs a (full) signature <jf on 
M of user Ui with the designated verifier Uj, where message M is chosen by 
user Ui from the message space M. defined under PKi, while Ver (M, of, PKi, 
PKj, APK ) outputs accept or reject, indicating ap is Ui ’s valid full signature 
on M with designated verifier Uj or not. 

— PSig and PVer: They are partial signing and verification algorithms respec- 
tively. PSig(M, SKi, PKi, PKj, APK) outputs a partial signature ap, while 
PVer (M, a P , PK, APK) outputs accept or reject, where PK = {PKi, PKj}. 

— Res: This is the resolution algorithm. Res(M, ap, ASK. PK), where PK = 
{PKi, PKj}, outputs a full signature of, or T indicating the failure of re- 
solving a partial signature. 

Note that we implicitly require that there is an efficient algorithm which given 
a a pair of ( SK,PK ), verifies if SK matches PK, i.e. (SK, PK) is an output 
of algorithm Setup User . As in na , PSig together with Res should be functionally 
equivalent to Sig. 

For the correctness, we require that for any k € N, PM <— PMGen(l fc ), 
(APK, ASK) «- Setup TTP (PM), (PKi, SKi) <- Setup User (PM, APK), 
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(PKj, SKj) <- Setup User (PM, APK), and M e M(PKj), let PK ~ {PKj, PKj}, 
we have the following 

PVer(M, PSig(M, SKj,PKi, PKj, APK), PK, APK) = accept, 

Ver (M, Sig(M, PK,, PKj,APK),PKi, PKj, APK) = accept, and 

Ver (M, Res(M, PSig(M, SKi,PKi, PKj, APK), ASK, PK), PFQ, PKj,APK)=accept. 

2.1 Security Properties 

(Resolution Ambiguity): The resolution ambiguity property requires that any 
‘resolved signature’ Res(M, PSig(M, SK U PKj, PKj, APK), ASK, {PKj, PKj}) 
is computationally indistinguishable from an ‘actual signature’ generated by the 
Sig [M, SKj, PKj, PKj, APK). It is identical to ‘ambiguity’ defined in 



|. Here we just use another name, in order to avoid any confusion, as we 


will define another kind of ambiguity next. 

(Signer Ambiguity): Informally, signer ambiguity means that given a partial 
signature ap from a signer A, a verifier B should not be able to convince others 
that ap was indeed generated by A. To capture this property, we use the idea of 
defining ambiguity in concurrent signature Q. We require that B can generate 
partial signatures that look indistinguishable from those generated by A. This is 
also the reason why a verifier should also have a public/secret key pair, and the 
verifier’s public key should be included in the inputs of PSig and Sig. Formally, we 
define an experiment in which D is a probabilistic polynomial-time distinguisher. 

PM <- PMGen(l fc ) 

(APK, ASK) Setup TTP (PM) 

(M, (PK 0 , SKo), (PK lt SKj), 6) <- D° R ^(APK) 

&<-{ 0 , 1 } 

a P <- PSig(M, SK b , PK b , PKj-i, APK) 
b' <— D° R ^(6,ap) 

success of D := [8? m b A (M, ap, [PK 0 , PKi}) 0 Query(D, 0 Res )] 

where S is D’s state information, oracle OR es takes as input a valic@ partial sig- 
nature ap of user Uj on message M with respect to verifier Uj, i.e. (M, ap, {PKj, 
PKj}), and outputs a full signature ap on M under PKj, PKj, and Query 
( D , ORes) is the set of valid queries D issued to the resolution oracle OR es - In this 
oracle query, D can arbitrarily choose a public key PK without knowing the cor- 
responding private key. However, we do require that there exists a PPT algorithm 
to check the validity of the two key pairs output by D, i.e. if SK b matches PA), 
for 6 = 0,1, or if (PKb, SKb) is a possible output of Setup User . The advantage of 
D, Advf^(/c), is defined to be the gap between its success probability in the exper- 
iment above and 1/2, i.e. Adv^(fc) = |Pr[f/ = b] — 1/2|. 

2 By ‘valid’, we mean that ap is a valid partial signature on M under public keys 
PKj, PKj, alternatively, the input (M, ap, PKj, PKj) of OR es satisfies the condition 
that PVer(M, a P , {PKj, PKj}, APK) = accept. 
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Definition 2 (Signer Ambiguity). An OFE scheme is said to he signer am- 
biguous if for any probabilistic polynomial-time algorithm D, Advf^/c) is negli- 
gible in k. 

Remark 1. We note that a similar notion was introduced in urn . It’s required 
that the signer’s partial signature can be simulated in an indistinguishable way. 
However, the 1 indistinguishability' in is defined in CPA fashion, giving 

the adversary no oracle that resolves a partial signature to a full one, while 
our definition of signer ambiguity is done in the CCA fashion, allowing the 
adversary to ask for resolving any partial signature except the challenge one to a 
full signature, which is comparable to the CCA security of public key encryption 
schemes. 

(Security Against Signers): We require that no PPT adversary A should be 
able to produce a partial signature with non-negligible probability, which looks 
good to a verifier but cannot be resolved to a full signature by the honest arbitra- 
tor. This ensures the fairness for verifiers, that is, if the signer has committed to 
a message with respect to an (honest) verifier, the verifier should always be able 
to obtain the full commitment of the signer. Formally, we consider the following 
experiment: 

PM «- PMGen(l fc ) 

(APR, ASK) «- Setup TTP (PM) 

(. PKb,SK b ) <- Setup User (PM, APR) 

(M, up, PR a) A°^’° R ‘ S (APK, PK b ) 

a F *- Res(M, a P ,ASK, {PKa, PKb}) 
success of A := [PVer(M, ap, [PKa, PKb}, APR) = accept 
A Ver (M, ct f ,PKa, PKb, APR) = reject 
A (M, PK a ) # Query(A, 0^ Sig )] 

where oracle Or 6S is described in the previous experiment, Op Sig takes as input 
(. M,PKi ) and outputs a partial signature on M under PKi,PKs generated 
using SKb, and Query(A, Op Sig ) is the set of queries made by A to oracle Op Sig . 
In this experiment, the adversary can arbitrarily choose a public key PKi, and it 
may not know the corresponding private key of PKi- Note that the adversary is 
not allowed to corrupt PKb, otherwise it can easily succeed in the experiment by 
simply using SKb to produce a partial signature under public keys PKa, PKb 
and outputting it. The advantage of A in the experiment Adv® AS (fc) is defined 
to be A’s success probability. 

Definition 3 (Security Against Signers). An OFE scheme is said to be 
secure against signers if there is no PPT adversary A such that Adv^ AS (fc) is 
non-negligible in k. 

(Security Against Verifiers): This security notion requires that any PPT 
verifier B should not be able to transform a partial signature into a full sig- 
nature with non-negligible probability if no help has been obtained from the 


Ambiguous Optimistic Fair Exchange 


81 


signer or the arbitrator. This requirement has some similarity to the notion of 
opacity for verifiably encrypted signature [§]. Formally, we consider the following 
experiment: 

PM <- PMGen(l fe ) 

(APK, ASK) <- Setup TTP (PM) 

(. PK a ,SK a ) <- Setup User (PM, APK) 

(M, PK b ,ctf) <- B 0p ^°^(PK A ,APK) 
success of B := [Ver (M, of, PKa, PKb, APK) = accept A 
(M, {PK a , PK b }) £ Query(B, 0 Res )] 

where oracle OR es is described in the experiment of signer ambiguity, Query(B, 
ORes) is the set of valid queries B issued to the resolution oracle OR es , and 
oracle Opsig takes as input a message M and a public key PKj and returns a 
valid partial signature op on M under PKa , PKj generated using SK a ■ In the 
experiment, B can ask the arbitrator for resolving any partial signature with 
respect to any pair of public keys (adaptively chosen by B, probably without 
the knowledge of the corresponding private keys), with the limitation described 
in the experiment. The advantage of B in the experiment Adv^ AV (/c) is defined 
to be B’s success probability in the experiment above. 

Definition 4 (Security Against Verifiers). An OFE scheme is said to be 
secure against verifiers if there is no PPT adversary B such that Adv^ AV (fc) is 
non- negligible in k. 

(Security Against the Arbitrator): Intuitively, an OFE is secure against 
the arbitrator if no PPT adversary C including the arbitrator, should be able 
to generate with non-negligible probability a full signature without explicitly 
asking the signer for generating one. This ensures the fairness for signers, that 
is, no one can frame the actual signer on a message with a forgery. Formally, we 
consider the following experiment: 

PM v- PMGen(l fc ) 

(APK, ASK*) -s— C(PM) 

(PK a , SKa) <- Setup User (PM, APK) 

(M, PK b ,<tf ) <— C'° PSig (ASK* , APK, PK A ) 
success of C := [Ver (M, <jf, PKa, PKb, APK) = accept A 
(M, PK b ) £ Query (C, Op Sig )] 

where the oracle Opsig is described in the previous experiment, ASK* is C’s state 
information, which might not be the corresponding private key of APK , and 
Query(C, Opsig) is the set of queries C issued to the oracle Opsig- The advantage 
of C in this experiment Adv|, AA (fc) is defined to be C’s success probability. 
Definition 5 (Security Against the Arbitrator). An OFE scheme is said 
to be secure against the arbitrator if there is no PPT adversary C such that 
Ad v^ AA (k) is non-negligible in k. 
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Remark 2. In A-OFE, both signer U a and verifier U b are equipped with pub- 
lic/secret key pairs (of the same structure), and U a and Ub can generate in- 
distinguishable partial signatures on the same message. If the security against 
the arbitrator holds for U a (as described in the experiment above), it should 
also hold for Ub- That is, even when colluding with Ua (and other signers), the 
arbitrator should not be able to frame Ub for a full signature on a message, if 
it has not obtained a partial signature on the message generated by Ub- 

Definition 6 (Secure Ambiguous Optimistic Fair Exchange). An A-OFE 
scheme is said to be secure in the multi-user setting and chosen-key model if it is 
resolution ambiguous, signer ambiguous, secure against signers, secure against 
verifiers and secure against the arbitrator. 


2.2 Weaker Variants of the Model 

In this section, we evaluate the relation between the signer ambiguity and se- 
curity against verifiers. Intuitively, if an A-OFE scheme is not secure against 
verifiers, the scheme cannot be signer ambiguous because a malicious verifier 
can convert with non- negligible probability a signer’s partial signature to a full 
one which allows the verifier to win the signer ambiguity game. For technical 
reasons, we first describe some weakened models before giving the proof for a 
theorem regarding the relation. 

In our definition of signer ambiguity (Def. El), the two public /secret key pairs 
are selected by the adversary D. In a weaker form, the key pairs can be selected 
by the challenger, and D is allowed to corrupt these two keys. This is compa- 
rable to the ambiguity definition for concurrent signature (ijJ, or the strongest 
definition of anonymity of ring signature considered in namely anonymity 
against full key exposure. We can also define an even weaker version of signer 
ambiguity, in which D is given two public keys, PKa , PKb, the oracle access of 
Opsig which returns Ua’s partial signatures, and is allowed to corrupt PKb- We 
call this form of signer ambiguity as weak signer ambiguity. 

In the definition of security against verifiers (Def. QJ) , the verifier’s public key 
PKb is adaptively selected by the adversary B. In a weaker model, PKb can 
be generated by the challenger and the corresponding user secret key can be 
corrupted by B. The rest of the model remains unchanged. We call this as weak 
security against verifiers. Below we show that if an OFE scheme is weakly signer 
ambiguous and secure against the arbitrator, then it is also weakly secure against 
verifiers. 

Theorem 1. In A-OFE, weak signer ambiguity and security against the arbi- 
trator (Def. E| ) together imply weak security against verifiers. 

Proof. Suppose that an A-OFE scheme is not weakly secure against verifiers. Let 
B be the PPT adversary that has non-negligible advantage e in the experiment of 
weak security against verifiers and B make at most q queries of the form (■, PKb) 
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to oracle Opsig- Due to the security against the arbitrator, B must have queried 
Opsig in the form (• ,PKb ). Hence the value of q is at least one. Denote the 
experiment of weak security against verifiers by Ex^°\ Note that in Ex^ 0 - 1 all 
queries to Opsig are answered with partial signatures generated using SKa ■ We 
now define a series of experiments, Ex^'\ • • • , Ex^, so that Ex^ (i > 1) is the 
same as Ex^ -1 ^ except that starting from the (q+ 1 — i)-th query to Opsig up to 
the q - th query of the form (■, PKb), they are answered with partial signatures 
generated using SKb ■ Let B’s success probability in experiment Ex^ be ej. Note 
that eo = e, and in experiment Ex (q> all queries of the form (•, PKb) to Opsig are 
answered with partial signatures generated using SKb ■ Since B also knows SKb 
(through corruption), it can use SKb to generate partial signatures using SKb 
on any message. Therefore, making queries of the form (•, PK B ) to Opsig does 
not help B on winning the experiment if answers are generated using SKb ■ It is 
equivalent to the case that B does not issue any query (■, PK B ) to Opsi g . Hence 
guaranteed by the security against the arbitrator, we have that B’s advantage 
in Ex 1 ^ is negligible as B has to output a full signature without getting any 
corresponding partial signature. 

Since the gap, |eo — e q \, between B’s advantage in Ex^ 0 - 1 and that in Ex^ is 
non- negligible, there must exist an 1 < i < q such that |ej_i — e*| is at least 
I eo — e g |/5, which is non- negligible as well. Let i* be such an i. We show how 
to make use of the difference of B’s advantage in Ex (t _1 ^ and Ex (t * to build a 
PPT algorithm D to break the weak signer ambiguity. 

Given APK and PKa, PKb , D first asks its challenger for SKb , and then 
invokes B on {APK, PKa, PKb)- D randomly selects an i* from {1, • - - ,q}, 
and simulates the oracles for B as follows. If B asks for SKb, D simply gives 
it to B. The oracle OR es is simulated by D using its own resolution oracle. 
If B makes a query (M, PKj) to Opsig where PKj ^ PKb, D forwards this 
query to its own partial signing oracle, and returns the obtained answer back 
to B. Now consider the l - th query of the form (M, PK B ) made by B to Opsi g . 
If f < q + 1 — i*, D forwards it to its own oracle, and returns the obtained 
answer. li£ = q+ l — i*,D requests its challenger for the challenge partial 
signature a P on M and returns it to B. If l > q + 1 — i*, D simply uses SKb 
to produce a partial signature on M. At the end of the simluation, when B 
outputs ( M*,<j * f ), if B succeeds in the experiment, D outputs 0; otherwise, D 
outputs 1. 

It’s easy to see that D guesses the correct i* with probability at least 1/q. 
Now suppose that B’s guess of i* is correct. If (t* p was generated by B’s chal- 
lenger using SKa, be. 6 = 0, the view of B is identical to that in Ex'* -1 \ 
On the other side, if a* P was generated using SKb, i.e. 6=1, the view of B 
is identical to that in Ex-' \ Let b' be the bit output by B. Since B outputs 
0 only if B succeeds in the experiment, we have Pr[6' = 0|6 = 0] = and 
Pr[6' = 0 1 6 = 1] = e,;. . Therefore, the advantage of B in attacking the weak 
signer ambiguity over random guess is 
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|pr[6' = 6] - 1 1 = |pr[b' = 0 A & = 0] + Pr[6' = 1 A b = 1] 


= |pr[b' = 0 A & = 0] + Pr[6' = 1 A b = 1] — 


= |pr[b' = 0 A 6 = 0] + (Pr[6 = 1] - Pr[&' = 0 A 6 = 1]) - i| 
= i|Pr[6' = 0|b = 0]-Pr[6'=0|6 = l]| 




1 


which is also non-negligible. This contradicts the weak signer ambiguity 


assumption. 


□ 


Corollary 1. In A-OFE, signer ambiguity (Def. 0) and security against the 
arbitrator (Def. 0) together imply weak security against verifiers. 

Letting an adversary select the two challenge public keys gives the adversary 
more power in attacking signer ambiguity. Therefore, signer ambiguity defined 
in Sec. 12. H is at least as strong as the weak signer ambiguity. Hence this corollary 
follows directly the theorem above. 

3 Preliminaries 

(Admissible Pairings): Let Gi and Gt be two cyclic groups of large prime 
order p. e is an admissible pairing if e : Gi x Gi — > G t is a map with the following 
properties: (1) Bilinear: \/R,S G Gi and Vo, 6 G Z, e(R a ,S b ) = e(R,S) ab ; (2) 
Non-degenerate: 3R,S G Gi such that e(R,S) ^ 1; and (3) Computable: there 
exists an efficient algorithm for computing e(R, S ) for any R, S G Gi. 

(Decision Linear Assumption (DLN)||:) Let Gi be a cyclic group of large 
prime order p. The Decision Linear Assumption for Gi holds if for any PPT 
adversary A, the following probability is negligibly close to 1/2. 

Pr [F, H, W<- Gi; r, s^Z p - Z 0 ^W r+s ; Gi; d<- (0, 1} : A(F, H, W, F r , H s , Z d )=d\ 

(g-Strong Diffie-Hellman Assumption (g-SDH) Q): The g-SDH problem 
in Gi is defined as follows: given a (q + l)-tuple (g,g x ,g x , • • ■ , g x ), output a 
pair (g l /C+c) ^ c ) w here c G Z*. The g-SDH assumption holds if for any PPT 
adversary A, the following probability is negligible. 



4 Ambiguous OFE without Random Oracles 

In this section, we propose an A-OFE scheme, which is based on Groth and 
Sahai’s idea of constructing a fully anonymous group signature scheme mol. 
Before describing the scheme, we first describe our construction in a high level. 
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4.1 High Level Description of Our Construction 

As mentioned in the introduction part, many OFE schemes in the literature 
follows a generic framework: Alice encrypts her signature under the arbitrator’s 
public key, and then provides a proof showing that the ciphertext indeed contains 
her signature on the message. To extend this framework to ambiguous optimistic 
fair exchange, we let Alice encrypt her signature under the arbitrator’s public key 
and provide a proof showing that the ciphertext contains either her signature on 
the message or Bob’s signature on it. Therefore, given Alice’s partial signature, 
Bob cannot convince others that Alice was committed herself to something, as 
he can also generate this signature. 

Our concrete construction below follows the aforementioned framework, which 
is based on the idea of Groth in constructing a fully anonymous group signa- 
ture scheme [15]. In more details, Alice’s signature consists of a weakly secure 
BB-signature 0 and a strong one-time signature. Since only the BB-signature is 
related to Alice’s identity, we encrypt it under the arbitrator’s public key using 
Kiltz’ tag-based encryption scheme 0 , with the one-time verification key as 
the tag. The non-interactive proof is based on a newly developed technique by 
Groth and Sahai 0 , which is efficient and doesn’t require any complex NP- 
reduction. The proof consists of two parts. The first part includes a commitment 
to Alice’s BB-signature along with a non-interactive witness indistinguishable 
(NIWI) proof showing that either Alice’s BB-signature or Bob’s BB-signature 
on the one-time verification key is in the commitment. The second part is non- 
interactive zero-knowledge (NIZK) proof (of knowledge) showing that the com- 
mitment and the ciphertext contains the same thing. These two parts together 
imply that the ciphertext contains a BB-signature on the message generated 
by either Alice or Bob. Both the ciphertext and the proof are authenticated 
using the one-time signing key. Guaranteed by the strong unforgeability of the 
one-time signature, no efficient adversary can modify the ciphertext or the proof. 

The NIWI proof system consists of four (PPT) algorithms, Kni, Pwi > Vwi 
and X x h, where K^i is the key generation algorithm which outputs a common 
reference string crs and an extraction key xk: Pwi takes as input crs, the 
statement to be proved x, and a corresponding witness w, and outputs a proof 
7 r; Vwi is the corresponding verification algorithm; and X x j ; takes as input crs 
and a valid proof n, outputs a witness w'. The NIZK proof shares the same 
common reference string with the NIWI proof. Pzk and Vzk are the proving 
and verification algorithms of the NIZK proof system respectively. Due to the 
page limit, we refer readers to 0 for detained information about the non- 
interactive proofs and to 0 for an introduction to the building tools needed 
for our construction. 

4.2 The Scheme 

Now we propose our A-OFE scheme. It works as follows: 

- PMGen takes l k and outputs PM = (1 k ,p, Gi, Gt, e, g) so that Gi and G t are 
cyclic groups of prime order p; g is a random generator of Gi; e : Gi X Gi — ► 
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Gp is an admissible bilinear pairing; and group operations on Gi and Gp 
can be efficiently performed. 

Setup TTP : The arbitrator runs the key generation algorithm of the non- 
interactive proof system to generate a common reference string crs and an 
extraction key xk, i.e. (crs, xk) *— Kpt i(l k ), where crs = (F. H, U, V, W, U' , 
V,W'). It also randomly selects K, L <— Gi, and sets ( APK,ASK ) = 
((crs, K, L),xk), where F. FI. K, L together form the public key of the tag- 
based encryption scheme gj|, and xk is the extraction key of the NIWI proof 
system jlE EBIj which is also the decryption key of the tag-based encryption 
scheme. 

Setup User : Each user U t randomly selects x,; *— Z p , and sets (PKi, SKi) 

= [ 9 Xi ,Xi ). 

PSig: To partially sign a message rn with verifier Uj, user Ui does the fol- 
lowing: 

1. call the key generation algorithm of S to generate a one-time key pair 
(i otvk , otsk)\ 

2. use SKi to compute a BB-signature a on H (otvk), i.e. a <— g*U 

3. compute an NIWI proof 7Ti showing that a is a valid signature rrnder ei- 
ther PKi or PKj, i.e. ttl P W i( crs, (e(g, g),PK it PKj, H (otvk)), (a)), 

which shows that the following holds: 

e(a, PKi ■ = e(g, g) V e(a, PKj • g H ^) = e(g, g) 

4. compute a tag-based encryption ((23]) V of a, i.e. y = ( 2 / 1 , 2 / 2 , 2/3? 2/4? 
2 / 5 ) •*— S-Epkia, tag), where pk = (F, H, K, L) and tag = H (otvk); 

5. compute an NIZK proof n 2 showing that y and the commitment C to a 
in 7Ti contain the same a, i.e. 772 <— Pzk(cts, ( y , 7Ti), (r, s, f)); 

6. use otsk to sign the whole transcript and the message M, i.e. a ot <— 
S.S 0 tsk{M, 7ri,y,7r 2 ). 

The partial signature up of U t on message M then consists of ( otvk,a ot , 
7Ti , 2 /, vr 2 ) • 

PVer: After obtaining Ui’s partial signature ap = (otvk. a ot , 7Ti, y, 7 ^), the 
verifier Uj checks the following. If any one fails, Uj rejects; otherwise, it 
accepts. 

1. if <r ot is a valid one-time signature on (M, 7Ti, y, 7r 2 ) under otvk: 

2. if 7Ti is a valid NIWI proof, i.e. Vwi(cts, (e(g, g), PK t , PKj,U(otvk)), 
7Ti) = accept; 

3. if 7 t 2 is a vahd NIZK proof, i.e. ^^(crs, (y, 7Ti), 7 t 2 ) = accept; 

Sig: To sign a message M with verifier Uj, user Ui generates a partial signa- 
ture ap as in PSig, and set the full signature ap as ap = ( ap,a ). 

Ver: After receiving ctf on M from Ui, user Uj checks if PVer(M, ap, 
{PKi, PKj}, APK) = accept, and if e(a,PKi ■ gFotvk)) l e( g ,g). If any 
of the checks fails, Uj rejects; otherwise, it accepts. 

Res: After receiving f/j’s partial signature ap on message M from user Uj, 
the arbitrator firstly checks the validity of ap. If invalid, it returns T to Uj. 
Otherwise, it extracts a from m by calling a <— X x j.(cts. 7Ti). The arbitrator 
returns a to Uj. 
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5 Security Analysis 

Theorem 2. The proposed A-OFE scheme is secure in the multi-user setting 
and chosen-key model (without random oracle) provided that DLN assumption 
and q-SDH assumption hold. 

Intuitively, the resolution ambiguity is guaranteed by the extractability and 
soundness of the NIWI proof of knowledge system. The signer ambiguity and 
security against verifiers are due to the CCA security of the encryption scheme. 
Security against signers and security against the arbitrator are guaranteed by 
the (weak) unforgeability of BB-signature scheme. Due to the page limit, we 
leave the detailed proof in the full version of this paper. 

Remark 3. In our construction, the signer uses its secret key to generate a BB- 
signature on a fresh one-time verification key, while the message is signed using 
the corresponding one-time signing key. As shown by Huang et al. in 0, this 
combination leads to a strongly unforgeable signature scheme. It’s not hard to 
see that our proposed A-OFE scheme actually achieves a stronger version of 
security against the verifier. That is, even if the adversary sees the signer {7 a ’ s 
full signature <jf on a message M with verifier Ub, it cannot generate another 
a' F on M such that Ver(A7, <j' f , PKa, PKb, APK) = accept. The claim can be 
shown using the proof given in this paper without much modification. 

( Comparison ): We note that schemes proposed in 00 have similar properties 
as our ambiguous OFE, i.e. (online, offline) non-transferability. Here we make 
a brief comparison with these two schemes. First of all, our A-OFE scheme is 
better than them in terms of the level of non-transferability. In 0 , 0 , the 
non-transferability is defined only in the CPA fashion. The adversary is not 
given an oracle for converting a partial signature to a full one. While in our 
definition of A-OFE, we define the ambiguity in the CCA fashion, allowing the 
adversary to ask for resolving a partial signature to a full one. Second, in terms 
of efficiency, our scheme outperforms the scheme proposed in 0 , and is slightly 
slower than 0 - The generation of a partial signature of their scheme requires 
linear (in security parameter k) number of encryptions, and the size of a partial 
signature is also linear in k. While in our scheme both the computation cost 
and size of a partial signature are constant. The partial signature of ousr scheme 
includes about 41 group elements plus a one-time verification key and a one-time 
signature. Third, both our scheme and the scheme in (lj| only require one move 
in generating a partial signature, while the scheme in [22( requires four moves. 
Fourth, in \2A\ . there is a setup phase between each signer and the confirmer, in 
which the confirmer generates an encryption key pair for each signer. Therefore, 
the confirmer has to store a key pair for each signer, leading to a large storage. 
While our scheme and 0 don’t need such a phase. Fifth, in terms of security, 
our scheme and 0 are provably secure without random oracles. But the scheme 
in 0 is only provably secure in the random oracle model. 
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Abstract. In a proof-of-retrievability system, a data storage center con- 
vinces a verifier that he is actually storing all of a client’s data. The 
central challenge is to build systems that are both efficient and provably 
secure - that is, it should be possible to extract the client’s data from 
any prover that passes a verification check. In this paper, we give the first 
proof-of-retrievability schemes with full proofs of security against arbi- 
trary adversaries in the strongest model, that of Juels and Kaliski. Our 
first scheme, built from BLS signatures and secure in the random oracle 
model, has the shortest query and response of any proof-of-retrievability 
with public verifiability. Our second scheme, which builds elegantly on 
pseudorandom functions (PRFs) and is secure in the standard model, has 
the shortest response of any proof-of-retrievability scheme with private 
verifiability (but a longer query). Both schemes rely on homomorphic 
properties to aggregate a proof into one small authenticator value. 


1 Introduction 

In this paper, we give the first proof-of-retrievability schemes with full proofs of 
security against arbitrary adversaries in the Juels-Kaliski model. Our first scheme 
has the shortest query and response of any proof-of-retrievability with public 
verifiability and is secure in the random oracle model. Our second scheme has the 
shortest response of any proof-of-retrievability scheme with private verifiability 
(but a longer query), and is secure in the standard model. 

Proofs of storage. Recent visions of “cloud computing” and “software as a ser- 
vice” call for data, both personal and business, to be stored by third parties, but 
deployment has lagged. Users of outsourced storage are at the mercy of their 
storage providers for the continued availability of their data. Even Amazon’s S3, 
the best-known storage service, has recently experienced significant downtime]]] 
In an attempt to aid the deployment of outsourced storage, cryptographers 
have designed systems that would allow users to verify that their data is still 

* Supported by NSF CNS-0749931, CNS-0524252, CNS-0716199; the US Army Re- 
search Office under the CyberTA Grant No. W911NF-06- 1-0316; and the U.S. De- 
partment of Homeland Security under Grant Award Number 2006-CS-001-000001. 

1 See, e.g., http://blogs.zdnet.com/projectfailures/?p=602 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 90 }l07,| 2008. 
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available and ready for retrieval if needed: Deswarte, Quisquater, and Saidane jH| , 
Filho and Barreto |0|, and Schwarz and Miller In these systems, the client 
and server engage in a protocol; the client seeks to be convinced by the protocol 
interaction that his file is being stored. Such a capability can be important to 
storage providers as well. Users may be reluctant to entrust their data to an 
unknown startup; an auditing mechanism can reassure them that their data is 
indeed still available. 

Evaluation: formal security models. Such proof-of-storage systems should be 
evaluated by both “systems” and “crypto” criteria. Systems criteria include: (1) 
the system should be as efficient as possible in terms of both computational 
complexity and communication complexity of the proof-of-storage protocol, and 
the storage overhead on the server should be as small as possible; (2) the system 
should allow unbounded use rather than imposing a priori bound on the number 
of audit-protocol interaction^ (3) verifiers should be stateless, and not need to 
maintain and update state between audits, since such state is difficult to maintain 
if the verifier’s machine crashes or if the verifier’s role is delegated to third parties 
or distributed among multiple machine 0 Statelessness and unbounded use are 
required for proof-of-storage systems with public verifiability, in which anyone 
can undertake the role of verifier in the proof-of-storage protocol, not just the 
user who originally stored the fileB 

The most important crypto criterion is this: Whether the protocol actually 
establishes that any server that passes a verification check for a file - even a 
malicious server that exhibits arbitrary, Byzantine behavior - is actually stor- 
ing the file. The early cryptographic papers lacked a formal security model, 
let alone proofs. But provable security matters. Even reasonable-looking pro- 
tocols could in fact be insecure; see Appendix C of the full paper m for an 
example. 

The first papers to consider formal models for proofs of storage were by 
Naor and Rothblum, for “authenticators” pa. and by Juels and Kaliski, for 
“proofs of retrievability” H2! Though the details of the two models are differ- 
ent, the insight behind both is the same: in a secure system if a server can pass 
an audit then a special extractor algorithm, interacting with the server, must be 
able (w.h.p.) to extract the fileB 


2 We believe that systems allowing a bounded number of interactions can be useful, 
but only as stepping stones towards fully secure systems. Some examples are bounded 
identity-based encryption EH and bounded CCA-secure encryption |Z|; in these 
systems, security is maintained only as long as the adversary makes at most t private 
key extraction or decryption queries. 

3 We note that the sentinel-based scheme of Juels and Kaliski d, the scheme of 
Ateniese, Di Pietro, Mancini, and Tsudik j3j, and the scheme of Shah, Swaminathan 
and Baker dl luck both unbounded use and statelessness. We do not consider these 
schemes further in this paper. 

4 Ateniese et al. P were the first to consider public verifiability for proof-of-storage 
schemes. 

5 This is, of course, similar to the intuition behind proofs of knowledge. 
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A simple MAC-based construction. In addition, the Naor-Rothblum and Juels- 
Kaliski papers describe similar proof-of-retrievability protocols. The insight be- 
hind both is that checking that most of a file is stored is easier than checking 
that all is. If the file to be stored is first encoded redundantly, and each block of 
the encoded file is authenticated using a MAC, then it is sufficient for the client 
to retrieve retrieves a few blocks together with their MACs and check, using his 
secret key, that these blocks are correct. Naor and Rothblum prove their scheme 
secure in their modelH The simple protocol obtained here uses techniques sim- 
ilar to those proposed by Lillibridge et al. m Signatures can be used instead 
of MACs to obtain public verifiability. 

The downside to this simple solution is that the server’s response consists of 
A block-authenticator pairs, where A is the security parameter. If each authen- 
ticator is A bits long, as required in the Juels-Kaliski model, then the response 
is A 2 • (s + 1) bits, where the ratio of file block to authenticator length is s : 10 

Homomorphic authenticators. The proof-of-storage scheme described by Ate- 
niese et al. Q improves on the response length of the simple MAC-based scheme 
using homomorphic authenticators. In their scheme, the authenticators cq on 
each file block m; are constructed in such a way that a verifier can be convinced 
that a linear combination of blocks JT y i rn i (with arbitrary weights {zq}) was 
correctly generated using an authenticator computed from {eq}@ 

When using homomorphic authenticators, the server can combine the blocks 
and A authenticators in its response into a single aggregate block and authen- 
ticator, reducing the response length by a factor of A. As an additional benefit, 
the Ateniese et al. scheme is the first with public verifiability. The homomorphic 
authenticators of Ateniese et al. are based on RSA and are thus relatively long. 

Unfortunately, Ateniese et al. do not give a rigorous proof of security for 
their scheme. In particular, they do not show that one can extract a file (or 
even a significant fraction of one) from a prover that is able to answer auditing 
queries convincingly. The need for rigor in extraction arguments applies equally 
to both the proof-of-retrievability model we consider and the weaker proof of 
data possession model considered by Ateniese et al@ 

Our contributions. In this paper, we make two contributions. 

1. We describe two new short, efficient homomorphic authenticators. The first, 
based on PRFs, gives a proof-of-retrievability scheme secure in the 

6 Juels and Kaliski do not give a proof of security against arbitrary adversaries, but 
this proof is trivial using the techniques we develop in this paper; for completeness, 
we give the proof in Appendix D of the full paper . 

7 Naor and Rothblum show that one-bit MACs suffice for proving security in their less 
stringent model, for an overall response length of A - (s + 1) bits. The Naor-Rothblum 
scheme is not secure in the Juels-Kaliski model. 

8 In the Ateniese et al. construction the aggregate authenticator is o"' mod N. 

9 For completeness, we give a correct and fully proven Ateniese-et-al.-inspired, RSA- 
based scheme, together with a full proof of security, in Appendix E of the full pa- 
per [TH|. 
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standard model. The second, based on BLS signatures |5j, gives a proof- 
of-retrievability scheme with public verifiability secure in the random oracle 
model. 

2. We prove both of the resulting schemes secure in a variant of the Juels-Kaliski 
model. Our schemes are the first with a security proof against arbitrary 
adversaries in this model. 

The scheme with public retrievability has the shortest query and response of any 
proof-of-retrievability scheme: 20 bytes and 40 bytes, respectively, at the 80-bit 
security level. The scheme with private retrievability has the shortest response 
of any proof-of-retrievability scheme (20 bytes), matching the response length 
of the Naor-Rothblum scheme in a more stringent security model, albeit at the 
cost of a longer query. We believe that derandomizing the query in this scheme 
is the major remaining open problem for proofs of retrievability. 

1.1 Our Schemes 

In our schemes, as in the Juels-Kaliski scheme, the user breaks an erasure en- 
coded file into n blocks mi , . . . , m n £ Z p for some large prime p. The erasure 
code should allow decoding in the presence of adversarial erasure. Erasure codes 
derived from Reed-Solomon codes have this property, but decoding and encoding 
are slow for large files. In Appendix B of the full paper jlfij we discuss how to 
make use of more efficient codes secure only against random erasures. 

The user authenticates each block as follows. She chooses a random a £ Z p 
and PRF key k for function /. These values serve as her secret key. She calculates 
an authentication value for each block i as 

= fk{i) + ami G Z p . 

The blocks {m,;} and authenticators { cr 7 ; } are stored on the server. The proof 
of retrievability protocol is as follows. The verifier chooses a random challenge 
set I of l indices along with l random coefficients in Z r Fl Let Q be the set 
{(b^i)} °f challenge index-coefficient pairs. The verifier sends Q to the prover. 
The prover then calculates the response, a pair (a. p), as 

a <— Vi ■ Gi and a <— Vi ■ mi . 

(i,v%)£Q (w)eQ 

Now verifier can check that the response was correctly formed by checking that 
a = a - p,+ v i ' fk(i) ■ 

(h^i)eQ 

It is clear that our techniques admit short responses. But it is not clear that 
our new system admits a simulator that can extract files. Proving that it does is 
quite challenging, as we discuss below. In fact, unlike similar, seemingly correct 
schemes (see Appendix C of the full paper ESI), our scheme is provably secure 
in the standard model. 

10 Or, more generally, from a subset B of Z p of appropriate size; see Section ll.il 
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A scheme with public verifiability. Our second scheme is publicly verifiable. It 
follows the same framework as the first, but instead uses BLS signatures jSj 
for authentication values that can be publicly verified. The structure of these 
signatures allows for them to be aggregated into linear combinations as above. 
We prove the security of this scheme under the Computational Diffie-Hellman 
assumption over bilinear groups in the random oracle model. 

Let e: G x G — ► Gt be a computable bilinear map with group G’s support 
being Z p . A user’s private key is x G Z p , and her public key is v = g x £ G along 
with another generator u £ G. The signature on block i is <Ji = [H(i)u mi ] . 
On receiving query Q = {(i, t'i)}, the prover computes and sends back a <— 
II(j Vi )£Q of and <— ut)eQ Ui ' m * ' The verification equation is: 

e(a,g) = e( H{i) Vi • u", «) . 

This scheme has public verifiability: the private key x is required for generating 
the authenticators {a,} but the public key v is sufiicient for the verifier in the 
proof-of-retrievability protocol. 

Parameter selection. Let A be the security parameter; typically, A = 80. For the 
scheme with private verification, p should be a A bit prime. For the scheme with 
public verification, p should be a 2A-bit prime, and the curve should be chosen so 
that discrete logarithm is 2 A -secure. For values of A up to 128, Barreto-Naehrig 
curves 0 are the right choice; see the survey by Freeman, Scott, and Teske m- 
Let n be the number of blocks in the file. We assume that n>A. Suppose 
we use a rate-p erasure code, i.e., one in which any p-fraction of the blocks 
suffices for decoding. (Encoding will cause the file length to grow approximately 
(l/p)x.) Let l be the number of indices in the query Q, and B C Z p be the set 
from which the challenge weights Ui are drawn. 

Our proofs - see Section 14.21 for the details - guarantee that extraction will 
succeed from any adversary that convincingly answers an e-fraction of queries, 
provided that e — p l — 1/ ffB is non-negligible in A. It is this requirement that 
guides the choice of parameters. 

A conservative choice is p = 1/2, l = A, and B = {0,1}; this guarantees 
extraction against any adversary^ For applications that can tolerate a larger 
error rate these parameters can be reduced. For example, if a l-in-1,000,000 
error is acceptable, we can take B to be the set of 22-bit strings and l to be 22; 
alternatively, the coding expansion 1/p can be reduced. 

A tradeoff between storage and communication. As we described our schemes 
above, each file block is accompanied by an authenticator of equal length. This 
gives a 2x overhead beyond that imposed by the erasure code, and the server’s 

11 The careful analysis in our proofs allows us to show that, for 80-bit security, the 
challenge coefficients Vi can be 80 bits long, not 160 as proposed in 0 p. 17]. The 
smaller these coefficients, the more efficient the multiplications or exponentiations 
that involve them. 
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response in the proof-of-retrievability protocol is 2x the length of an authenti- 
cator. In the full schemes of Section 0 we introduce a parameter s that gives 
a tradeoff between storage overhead and response length. Each block consists 
of s elements of Z p that we call sectors. There is one authenticator per block, 
reducing the overhead to (1 + l/s)x. The server’s response is one aggregated 
block and authenticator, and is (1 + s) x as long as an authenticator. The choice 
s = 1 corresponds to our schemes as we described them above and to the scheme 
given by Ateniese et al. hQ 

Compressing the request. A request, as we have seen, consists of an l element 
subset of [1, n ] together with l elements of the coefficient set B. chosen uniformly 
and independently at random. In the conservative parametrization above, a re- 
quest is thus A - ( [lgn] +A) bits long. One can reduce the randomness required to 
generate the request using standard techniques^ but this will not shorten the 
request itself. In the random oracle model, the verifier can send a short (2A bit) 
seed for the random oracle from which the prover will generate the full query. 
Using this technique we can make the queries as well as responses compact in our 
publicly verifiable scheme, which already relies on random oracles Q Obtaining 
short queries in the standard model is the major remaining open problem in 
proofs of retrievability. 

We note that, by techniques similar to those discussed above, a PRF can be 
used to generate the per-file secret values {a, } for our privately verifiable scheme 
and a random oracle seed can be used to generate the per-file public generators 
{uj} in our publicly verifiable scheme. This allows file tags for both schemes to 
be short: 0(A), asymptotically. 

We also note that subsequent to our work Bowers, Juels, and Oprea |0| pro- 
vided a framework, based on “inner and outer” error correcting codes, by which 
they describe parameterizations of our approach that trade off the cost of a sin- 
gle audit and the computational efficiency of extracting a file a series of audit 
requests. In our work we have chosen to put emphasis on reducing single au- 
dit costs. We envision an audit as a mechanism to ensure that a file is indeed 
available and that a file under most circumstances will be retrieved as a sim- 
ple bytestream. In a further difference, the error-correcting codes employed by 
Bowers, Juels, and Oprea are optimized for the case where e > 1/2, i.e., for 
when the server answers correctly more than half the time. By contrast, our 

12 It would be possible to shorten the response further using knowledge-of-exponent 
assumptions, as Ateniese et al. do, but such assumptions axe strong and nonstandard; 
more importantly, their use means that the extractor can never be implemented in 
the real world. 

13 For example, choose keys k! and k" for PRFs with respective ranges [l,n] and B. 

The query indices are the first l distinct values amongst . . .; the query 

coefficients are J^(l), .... 

14 Ateniese et al. propose to eliminate random oracles here by having the prover gen- 
erate the full query using PRF keys sent by the verifier 0 p. 11], but it is not clear 
how to prove such a scheme secure, since the PRF security definition assumes that 
keys are kept secret. 


96 


H. Shacham and B. Waters 


techniques scale to any small (but nonnegligible) e. We believe that this frees 
systems implementers from having to worry about whether a substantial error 
rate (for example, due to an intermitent connection between auditor and server) 
invalidates the assumptions of the underlying cryptography. 


1.2 Our Proofs 

We provide a modular proof framework for the security of our schemes. Our 
framework allows us to argue about the systems unforgeability, extractability, 
and retrievability with these three parts based respectively on cryptographic, 
combinatorial, and coding-theoretical techniques. Only the first part differs be- 
tween the three schemes we propose. The combinatorial techniques we develop 
are nontrivial and we believe they will be of independent interest. 

It is interesting to compare both our security model and our proof methodol- 
ogy to those in related work. 

The proof of retrievability model has two major distinctions from that used 
by Naor and Rothblum m (in addition to the public-key setting). First, the 
NR model assumes a checker can request and receive specific memory locations 
from the prover. In the proof of retrievability model, the prover can consist of an 
arbitrary program as opposed to a simple memory layout and this program may 
answer these questions in an arbitrary manner. We believe that this realistically 
represents an adversary in the type of setting we are considering. In the NR 
setting the extractor needs to retrieve the file given the server’s memory; in the 
POR setting the analogy is that the extractor receives the adversary’s program. 

Second, in the proof of retrievability model we allow the attacker to execute 
a polynomial number of proof attempts before committing to how it will store 
memory. In the NR model the adversary does not get to execute the protocol 
before committing its memory. This weaker model is precisely what allows for 
the use of 1-bit MACs with error correcting codes in one NR variant. One might 
argue that in many situations this is sufficient. If a storage server responds 
incorrectly to an audit request we might assume that it is declared to be cheating 
and there is no need to go further. However, this limited view overlooks several 
scenarios. In particular, we want to be able to handle setups where there are 
several verifiers that do not communicate or if there might be several storage 
servers handling the same encoded file that are audited independently. Only our 
stronger model can correctly reflect these situations. In general, we believe that 
the strongest security model allows for a system to be secure in the most contexts 
including those not previously considered 

One of the distinctive and challenging parts of our work is to argue extrac- 
tion from homomorphic ally accumulated blocks. While Ateniese et al. [IJ pro- 
posed using homomorphic RSA signatures and proved what is equivalent to our 
unforgeability requirement, they did not provide an argument that one could 
extract individual blocks from a prover. The only place where extractability is 

15 We liken this argument to that for the strong definition currently accepted for chosen- 

ciphertext secure encryption. 
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addressed in their work is a short paragraph in Appendix A, where they provide 
some intuitive arguments. Here is one concrete example: Their constructions 
make multiple uses of pseudorandom functions (PRFs), yet the security prop- 
erties of a PRF are never applied in a security reduction. This gives compelling 
evidence that a rigorous security proof was not provided. Again, we emphasize 
that extraction is needed in even the weaker proof of data possession model 
claimed by the authors. 

Extract ability issues arise in several natural constructions. Proving extraction 
from aggregated authenticator values can be challenging; in Appendix C of the 
full paper [TQ) we show an attack on a natural but incorrect system that is 
very similar to the “E-PDP” efficient alternative scheme given by Ateniese et al. 
(which they use in their performance measurements). For this scheme, Ateniese 
et al. claim only that the protocol establishes that a cheating prover has the 
sum Y^iei m i °f the blocks. We show that indeed this is all it can provide. 
Ateniese et al. calculate that a malicious server attacking the E-PDP scheme 
et al. that a malicious server attacking the E-PDP scheme would need to store 
10 140 blocks in order to cheat with probability 100%. By contrast, our attack, 
which allows the server to cheat with somewhat lower probability (almost 9% for 
standard parameters) requires no more storage than were the server faithfully 
storing the file. 

Finally, we argue that the POR is the “right” model for considering practical 
data storage problems, since provides a successful audit guarantees that all the 
data can be extracted. Other work has advocated that a weaker Proof of Data 
Possession P model might be acceptable. In this model, one only wants to 
guarantee that a certain percentage (e.g., 90%) of data blocks are available. By 
offering this weaker guarantee one might hope to avoid the overhead of applying 
erasure codes. However, this weaker condition is unsatisfactory for most practical 
application demands. One might consider how happy a user would be were 10% of 
a file containing accounting data lost. Or if, for a compressed file, the compression 
tables were lost - and with them all useful data. Instead of hoping that there 
is enough redundancy left to reconstruct important data in an ad-hoc way, it is 
much more desirable to have a model that inherently provides this. We also note 
that Ateniese et al. P make an even weaker guarantee for their “E-PDP” system 
that they implement and use as the basis for their measurements. According to 
P their E-PDP system “only guarantees possession of the sum of the blocks.” 
While this might be technically correct, it is even more difficult to discern what 
direct use could come from retrieving a sum of a subset of data blocks. 

One might still hope to make use of systems proved secure under these models. 
For example, we might attempt to make a PDP system usable by adding on 
an erasure encoding step. In addition, if a system proved that one could be 
guaranteed sums of blocks for a particular audit, then it might be the case that 
by using multiple audit one could guarantee that individual file blocks could 
be extracted. However, one must prove that this is the case and account for 
the additional computational and communication overhead of multiple passes. 
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When systems use definitions that don’t model full retrievability it becomes very 
difficult to make any useful security or performance comparisons. 

2 Security Model 

We recall the security definition of Juels and Kaliski m Our version differs 
from the original definition in several details: 

— we rule out any state (“a”) in key generation and in verification, because 
(as explained in Section QJ we believe that verifiers in proof-of-retrievability 
schemes should be stateless; 

— we allow the proof protocol to be arbitrary, rather than two-move, challenge- 
response; and 

— our key generation emits a public key as well as a private key, to allow us to 
capture the notion of public verifiability. 

Note that any stateless scheme secure in the original Juels-Kaliski model will be 
secure in our variant, and any scheme secure in our variant whose proof protocol 
can be cast as two-move, challenge-response protocol will be secure in the Juels- 
Kaliski definition. In particular, our scheme with private verifiability is secure in 
the original Juels-Kaliski model 0 

A proof of retrievability scheme defines four algorithms, Kg, St, V, and V, 
which behave thus: 

Kg(). This randomized algorithm generates a public-private keypair (pk,sk). 
St(sk,M). This randomized file-storing algorithm takes a secret key sk and a 
file M G {0, 1}* to store. It processes M to produce and output M*, which 
will be stored on the server, and a tag t. The tag contains information that 
names the file being stored; it could also contain additional secret information 
encrypted under the secret key sk. 

V, V. The randomized proving and verifying algorithms define a protocol for 
proving file retrievability. During protocol execution, both algorithms take as 
input the public key pk and the file tag t output by St. The prover algorithm 
also takes as input the processed file description M* that is output by St, 
and the verifier algorithm takes as input the secret key. At the end of the 
protocol run, V outputs 0 or 1, where 1 means that the file is being stored on 
the server. We can denote a run of two machines executing the algorithms 
as: {0, 1} e— (V(pk, sk, t ) ^ V(pk, t, M *)) . 

16 In an additional minor difference, we do not specify the extraction algorithm as part 
of a scheme, because we do not expect that the extract algorithm will be deployed 
in outsourced storage applications. Nevertheless, the extract algorithm used in our 
proofs (cf. Section E~2ll is quite simple: undertake many random V interactions with 
the cheating prover; keep track of those queries for which V accepts the cheating 
prover’s reply as valid; and continue until enough information has been gathered to 
recover file blocks by means of linear algebra. The adversary A could implement this 
algorithm by means of its proof-of-retrievability protocol access. 
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We would like a proof-of-retrievability protocol to be correct and sound. Correct- 
ness requires that, for all keypairs ( pk , sk ) output by Kg, for all files M g {0, 1}*, 
and for all (M* , t) output by St (sk, M), the verification algorithm accepts when 
interacting with the valid prover: 

(V(pk, sk, t ) ^ V(pk, t, M*)) s= 1 . 

A proof-of-retrievability protocol is sound if any cheating prover that con- 
vinces the verification algorithm that it is storing a file M is actually storing 
that file, which we define in saying that it yields up the file M to an extrac- 
tor algorithm that interacts with it using the proof-of-retrievability protocol. 
We formalize the notion of an extractor and then give a precise definition for 
soundness. 

An extractor algorithm Extr(pk, sk, t, V) takes the public and private keys, 
the file tag t, and the description of a machine implementing the prover’s role 
in the proof-of-retrievability protocol: for example, the description of an interac- 
tive Turing machine, or of a circuit in an appropriately augmented model. The 
algorithm’s output is the file M € {0,1}*. Note that Extr is given non-black-box 
access to V and can, in particular, rewind it. 

Consider the following setup game between an adversary A and an environ- 
ment: 

1 . The environment generates a keypair (pk, sk) by running Kg, and provides 
pk to A. 

2. The adversary can now interact with the environment. It can make queries 

to a store oracle, providing, for each query, some file M. The environment 
computes (M*,t) St (sk, M) and returns both M* and t to the adversary. 

3. For any M on which it previously made a store query, the adversary can un- 
dertake executions of the proof-of-retrievability protocol, by specifying the 
corresponding tag t. In these protocol executions, the environment plays 
the part of the verifier and the adversary plays the part of the prover: 
V(pk,sk,t) A. When a protocol execution completes, the adversary is 
provided with the output of V. These protocol executions can be arbitrarily 
interleaved with each other and with the store queries described above. 

4. Finally, the adversary outputs a challenge tag t returned from some store 
query, and the description of a prover V . 

The cheating prover V is e- admissible if it convincingly answers an e fraction of 
verification challenges, i.e., if Pr[(V(pk, sk, t) ^ V) = l] > e. Here the probabil- 
ity is over the coins of the verifier and the prover. Let M be the message input to 
the store query that returned the challenge tag t (along with a processed version 
M* of M). 

Definition 1. We say a proof-of-retrievability scheme is e-sound if there exists 
an extraction algorithm Extr such that, for every adversary A, whenever A, 
playing the setup game, outputs an e-admissible cheating prover V for a file M, 
the extraction algorithm recovers M from V - i.e., Extr(pk,sk,t,V) = M - 
except possibly with negligible probability. 
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Note that it is okay for A to have engaged in the proof-of-retrievability protocol 
for M in its interaction with the environment. Note also that each run of the 
proof-of-retrievability protocol is independent: the verifier implemented by the 
environment is stateless. 

Finally, note that we require that extraction succeed (with all but negligible 
probability) from an adversary that causes V to accept with any nonnegligible 
probability e. An adversary that passes the verification even a very small but 
nonnegligible fraction of the time - say, once in a million interactions - is fair 
game. Intuitively, recovering enough blocks to reconstruct the original file from 
such an adversary should take 0(n/e) interactions; our proofs achieve essentially 
this bound. 

Concrete or asymptotic formalization. A proof-of-retrievability scheme is secure 
if no efficient algorithm wins the game above except rarely, where the precise 
meaning of “efficient” and “rarely” depends on whether we employ a concrete 
of asymptotic formalization. 

It is possible to formalize the notation above either concretely or asymptot- 
ically. In a concrete formalization, we require that each algorithm defining the 
proof-of-retrievability scheme run in at most some number of steps, and that for 
any algorithm A that runs in time t steps, that makes at most q s store queries, 
and that undertakes at most q P proof-of-retrievability protocol executions, ex- 
traction from an e-admissible prover succeeds except with some small proba- 
bility 6. In an asymptotic formalization, every algorithm is provided with an 
additional parameter 1 A for security parameter A, we require each algorithm 
to run in time polynomial in A, and we require that extraction fail from an 
e-admissible prover with only negligible probability in A, provided e is nonneg- 
ligible. 

Public or private verification, public or private extraction. In the model above, 
the verifier and extractor are provided with a secret that is not known to the 
prover or other parties. This is a secret-verification, secret-extraction model 
model. If the verification algorithm does not use the secret key, any third party 
can check that a file is being stored, giving public verification. Similarly, if the 
extract algorithm does not use the secret key, any third party can extract the 
file from a server, giving public extraction. 

3 Constructions 

In this section we give formal descriptions for both our private and public ver- 
ification systems. The systems here follow the constructions outlined in the in- 
troduction with a few added generalizations. First, we allow blocks to contain 
s > 1 elements of Z p . This allows for a tradeoff between storage overhead and 
communication overhead. Roughly the communication complexity grows as s+ 1 
elements of Z p and the ratio of authentication overhead to data stored (post en- 
coding) is 1 : s. Second, we describe our systems where the set of coefficients 
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sampled from B can be smaller than all of Z p . This enables us to take advantage 
make more efficient systems in certain situations. 

3.1 Common Notation 

We will work in the group Z p . When we work in the bilinear setting, the group 
Z p is the support of the bilinear group G, i.e., = p. In queries, coefficients 

will come from a set B C Z p . For example, B could equal Z p , in which case 
query coefficients will be randomly chosen out of all of Z p . 

After a file undergoes preliminary processing, the processed file is split into 
blocks, and each block is split into sectors. Each sector is one element of Z p , 
and there are s sectors per block. If the processed file is b bits long, then there 
are n = [6/slgp] blocks. We will refer to individual file sectors as {m,,-}, with 
1 < i < n and 1 < j < s. 

Queries. A query is an /-element set Q = {(/, i^)}. Each entry (j, v.j') g Q is such 
that i is a block index in the range [1, n], and Vi is a multiplier in B. The size l 
of Q is a system parameter, as is the choice of the set B. 

The verifier chooses a random query as follows. First, she chooses, uniformly at 
random, an /-element subset I of [1, n]. Then, for each element i g 7 she chooses, 
uniformly at random, an element Vi B. We observe that this procedure im- 
plies selection of / elements from [l,n] without replacement but a selection of 
/ elements from B with replacement. 

Although the set notation Q = {(/, is space-efficient and convenient for 
implementation, we will also make use of a vector notation in the analysis. A 
query Q over indices / C [l,n] is represented by a vector q g (Z p ) n where 
qi = Vi for i g I and q, = 0 for all i £ I. Equivalently, letting iti , . . . , u n be the 
usual basis for (Z p )", we have q — 

If the set B does not contain 0 then a random query (according to the se- 
lection procedure defined above) is a random weight-/ vector in (Z p ) n with co- 
efficients in B. If B does contain 0, then a similar argument can be made, 
but care must be taken to distinguish the case “i g I and v. t = 0” from the 
case u i £ J.” 

Aggregation. For its response, the server responds to a query Q by computing, 
for each j, 1 < j < s, the value 

ViTni i ■ 

(w)e<2 

That is, by combining sectorwise the blocks named in Q, each with its multi- 
plier Vi. Addition, of course, is modulo p. The response is (fii , . . . , /x s ) g (Z p ) . 

Suppose we view the message blocks on the server as an n x s element matrix 
M = (my), then, using the vector notation for queries given above, the server’s 
response is given by qM. 

17 We are using subscripts to denote vector elements (for q) and to choose a particular 
vector from a set (for u): but no confusion should arise. 
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3.2 Construction for Private Verification 

Let /: {0, 1}* x /C pr f — > Z p be a PRF0 The construction of the private verifi- 
cation scheme Priv is: 

Priv.Kg(). Choose a random symmetric encryption key k enc /C enc and a ran- 
dom MAC key /c mac /C mac . The secret key is sk = (fc en c> fcmac); there is no 
public key. 

Priv.St(sk, M). Given the file M, first apply the erasure code to obtain M' : then 
spht M' into n blocks (for some n), each s sectors long: {m*./}i<i< n . Now 

1 <j<s 

choose a PRF key k pr { <— /C pr f and s random numbers a\, . . . , a s <— Z p . Let 
to be n||Encfc enc (fc pr f||a:i|| • ||a«); the file tag is t = to||MAC/c mac (to). Now, 

for each i, 1 < i < n, compute 


a i fk P rf (*) + ^2 a i m ij ■ 

*= i 

The processed file M* is {m,; 7 }, 1 < i < n, 1 < j < s together with {ai}, 
1 < i < n. 

Priv. V(pk, sk, t). Parse sk as (fc enc , fc mac ). Use k m ac to verify the MAC on t; if the 
MAC is invalid, reject by emitting 0 and halting. Otherwise, parse t and use 
k e nc to decrypt the encrypted portions, recovering n, k pl {, and a\,...,a s . 
Now pick a random /-element subset I of the set [l,n], and, for each i £ I, 
a random element z^ B. Let Q be the set {('/, z/j)}. Send Q to the prover. 
Parse the prover’s response to obtain /zi ,... ,/j, s and a, all in Z p . If parsing 
fails, fail by emitting 0 and halting. Otherwise, check whether 

a = G/fcp rf W + ; 

(i,Kt)60 i =1 

if so, output 1; otherwise, output 0. 

Priv. V{pk, t, M*). Parse the processed file M* as {riZy}, 1 < i < n, 1 < j < s, 
along with {ct;}, 1 < i < n. Parse the message sent by the verifier as Q, an 
/-element set with the rs distinct, each i G [l,n], and each i>i G B. 

Compute 

fj,j f— ViTiiij for 1 < i < s, and cr «— z/;er,; . 

(w)6Q 

Send to the prover in response the values m,...,n s and a. 


In fact, the domain need only be [IgA] -bit strings, where A is a bound on the 
number of blocks in a file. 
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3.3 Construction for Public Verification 

Let e: G x G —> Gt be a bilinear map, let g be a generator of G, and let 
H : {0, 1}* — > G be the BLS hash, treated as a random oracle 0 The construction 
of the public verification scheme Pub is: 

Pub.KgQ. Generate a random signing keypair ( spk , ssk) SKg. Choose a ran- 
dom a Z p and compute v <— g a . The secret key is sk= ( a , ssk)-, the public 
key is pk= ( v , spk). 

Pub.St(sk, M). Given the file M, first apply the erasure code to obtain M ' ; then 
split M' into n blocks (for some n), each s sectors long: {'/rty Now 

i<i< s _ 

parse sk as (a, ssk). Choose a random file name name from some sufficiently 
large domain (e.g., Z p ). Choose s random elements u\,...,u s G. Let 
to be “name||n||«i|| • ■ ■ ||tt s ”; the file tag t is to together with a signature 
on to under private key ssk: t <— to 1 1 SSig ssk ( to ) • For each i, 1 < i < n, 
compute 

a, t— ^H(name\\i) ■ • 

i=l 

The processed file M* is {m*j}, 1 < i < n, 1 < j < s together with {er,;}, 
1 <i<n. 

Pub. V(pk,sk, t). Parse pk as (y. spk). Use spk to verify the signature on on t; if 
the signature is invalid, reject by emitting 0 and halting. Otherwise, parse t, 
recovering name, n, and u\,...,u s . Now pick a random /-element subset I 
of the set [1, n], and, for each i £ I, a random element i \ B. Let Q be the 

set {(i, Vi)}. Send Q to the prover. 

Parse the prover’s response to obtain (pi, . . . , p s ) G (Z p ) s and a £ G. If 
parsing fails, fail by emitting 0 and halting. Otherwise, check whether 

e(a,g) = e( H (naxne\\i) Vi ■ f[u^ , v) ; 

if so, output 1; otherwise, output 0. 

Pub. V(pk, t, M*). Parse the processed file M* as {m^}, 1 < i < n, 1 < j < s, 
along with {<Ji}, 1 < i < n. Parse the message sent by the verifier as Q, an 
/-element set {(/, Vi)}, with the fs distinct, each i £ [1, n], and each Vi £ B. 
Compute 

Pj lyrrpj £ Z p for 1 < j < s, and a <— erf'* € G . 

Q {i,vi)eQ 

Send to the prover in response the values p\,...,p s and cr. 

19 For notational simplicity, we present our scheme using a symmetric bilinear map, but 
efficient implementations will use an asymmetric map e: G 1 XG 2 -> Gt- Translating 
our scheme to this setting is simple. User public keys v will live in Gi\ file generators 
Uj will live in Gi , as will the output of H ; and security will be reduced to co-CDH 0 . 


104 


H. Shacham and B. Waters 


4 Security Proofs 

In this section we prove that both of our systems are secure under the model we 
provided. Intutively, we break our proof into three parts. The first part shows 
that the attacker can never give a forged response back to the a verifier. The 
second part of the proof shows that from any adversary that passes the check a 
non-negligible amount of the time we will be able to extract a constant fraction 
of the encoded blocks. The second step uses the fact that (w.h.p.) all verified 
responses must be legitimate. Finally, we show that if this constant fraction of 
blocks is recovered we can use the erasure code to reconstruct the original file. 

In this section we provide an outline of our proofs and state our main theorems 
and lemmas. We defer the proofs of these to the full paper [03 • The proof, for 
both schemes, is in three parts: 

1. Prove that the verification algorithm will reject except when the prover’s 

{pj} are correctly computed, i.e., are such that pj = This 

part of the proof uses cryptographic techniques. 

2. Prove that the extraction procedure can efficiently reconstruct a p fraction 
of the file blocks when interacting with a prover that provides correctly- 
computed {p,j} responses for a nonnegligible fraction of the query space. 
This part of the proof uses combinatorial techniques. 

3. Prove that a p fraction of the blocks of the erasure-coded file suffice for 
reconstructing the original file. This part of the proof uses coding theory 
techniques. 

Crucially, only the part-one proof is different for our two schemes; the other 
parts are identical. 

4.1 Part-One Proofs 

Scheme with Private Verifiability 

Theorem 1 . If the MAC is unforgeable, the symmetric encryption scheme is 
semantically secure, and the PRF is secure, then ( except with negligible probabil- 
ity) no adversary against the soundness of our private-verification scheme ever 
causes V to accept in a proof- of-retrievability protocol instance, except by re- 
sponding with values {pj} and a that are computed correctly, i.e., as they would 
be by Priv.V. 

We prove the theorem in Appendix A.l of the full paper jT51 . 

Scheme with Public Verifiability 

Theorem 2. If the signature scheme used for file tags is existentially unforge- 
able and the computational Diffie-Hellman problem is hard in bilinear groups, 
then, in the random oracle model, except with negligible probability no adversary 
against the soundness of our public-verification scheme ever ever causes V to 
accept in a proof-of-retrievability protocol instance, except by responding with 
values {pj} and a that are computed correctly, i.e., as they would be by Pub.V. 
We prove the theorem in Appendix A. 2 of the full paper [Tfi| . 
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4.2 Part-Two Proof 

We say that a cheating prover V' is well-behaved if it never causes V to accept 
in a proof-of-retrievability protocol instance except by responding with values 
{/Zj} and a that are computed correctly, i.e., as they would be by Pub.P. The 
part-one proofs above guarantee that all adversaries that win the soundness game 
with nonnegligible probability output cheating provers that are well-behaved, 
provided that the cryptographic primitives we employ are secure. The part-two 
theorem shows that extraction always succeeds against a well-behaved cheating 
prover: 

Theorem 3. Suppose a cheating prover V on an n-block file M is well-behaved 
in the sense above, and that it is e-admissible: i.e., convincingly answers and 
e fraction of verification queries. Letu = 1 / fiB+(pn) 1 / {n—l+1) 1 . Then, provided 
that e — u> is positive and nonnegligible, it is possible to recover a p fraction of 
the encoded file blocks in 0(n / (e — w)) interactions with V and in 0(n 2 s + 
(1 + en 2 )(n) / (e— cu)) time overall. 

We first make the following definition. 

Definition 2. Consider an adversary B, implemented as a probabilistic poly- 
nomial-time Taring machine, that, given a query Q on its input tape, outputs 
either the correct response (qM in vector notation) or a special symbol _L to its 
output tape. Suppose B responds with probability e, i.e., on an e fraction of the 
query- and-randomness-tape space. We say that such an adversary is e-polite. 

The proof of our theorem depends upon the following lemma that is proved in 
Appendix A.3 of the full paper eg. 

Lemma 1. Suppose that B is an e-polite adversary as defined above. Let ui equal 
1 /fiB + ( pn) l /(n — l + l) 1 . If e > u> then it is possible to recover a p fraction of 
the encoded file blocks inO{n / (e — tu)) interactions with B and in 0(n 2 s + (1 + 
en 2 )(n) / (e — tu)) time overall. 

To apply LemmaQJ we need only show that a well-behaved e-admissible cheating 
prover V , as output by a setup-game adversary A, can be turned into an e- 
polite adversary B. But this is quite simple. Here is how B is implemented. 
We will use the V to construct the e-adversary B. Given a query Q, interact 
with V according to (V(pk, sk, t, sk) ^ V) , playing the part of the verifier. If the 
output of the interaction is 1, write (p, i, . ... p s ) to the output tape; otherwise, 
write _L. Each time B runs V , it provides it with a clean scratch tape and a new 
randomness tape, effectively rewinding it. Since V is well-behaved, a successful 
response will compute [jm , . . . , p s ) as prescribed for an honest prover. Since 
V is e-admissible, on an e fraction of interactions it answers correctly. Thus 
algorithm B that we have constructed is an e-polite advesrary. 

All that remains to to guarantee that u = 1 /#B + ( pn) l /(n — l+l) 1 is such 
that e - w is positive - indeed, nonnegligible. But this simply requires that 
each of 1/fiB and ( pn) l /(n — l+ l) 1 be negligible in the security parameter; see 
Section 11.11 
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4.3 Part-Three Proof 

Theorem 4. Given a p fraction of the n blocks of an encoded file M* , it is 
possible to recover the entire original file M with all but negligible probability. 

Proof. For rate-p Reed-Solomon codes this is trivially true, since any p fraction 
of encoded file blocks suffices for decoding; see Appendix B of the full paper 
For rate-p linear-time codes the additional measures described there guarantee 
that the p fraction of blocks retrieved will allow decoding with overwhelming 
probability. 
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Abstract. At EuroCrypt ’08, Gilbert, Robshaw and Seurin proposed 
HB # to improve on HB + in terms of transmission cost and security 
against man-in-the-middle attacks. Although the security of HB # is for- 
mally proven against a certain class of man-in-the-middle adversaries, it 
is only conjectured for the general case. In this paper, we present a gen- 
eral man-in-the-middle attack against HB # and Random-HB # , which 
can also be applied to all anterior HB-like protocols, that recovers the 
shared secret in 2 25 or 2 20 authentication rounds for HB # and 2 34 or 2 28 
for Random-HB # , depending on the parameter set. We further show 
that the asymptotic complexity of our attack is polynomial under some 
conditions on the parameter set which are met on one of those proposed 

in El- 


Keywords: HB, authentication protocols, RFID. 


1 Introduction 

Designing secure cryptographic protocols using lightweight components is one 
of the main challenges of cryptography. Indeed, the emergence of new technol- 
ogy such as radio-frequency identification (RFIDs) with low computation and 
memory capabilities has stressed the need of such protocols. 

These devices require protection from many threats. For example, for a com- 
pany using RFIDs in inventories and supply-chain management, a RFID tag 
should be protected from cloning. Biometric passports also have a tight relation 
with RFIDs since they use contactless chips to communicate and authenticate 
the passport holder to some authorized authority. Using RFID tags as a replace- 
ment of barcodes by many merchant have also raised the issue of traceability 
and privacy protection. Thus, the need of authentication protocols providing ef- 
ficiency, security and privacy protection has become a key factor for the future 
development of this technology. One of the most popular attempts to fulfill this 
need are the HB family of authentication protocol. 
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The HB Family. Originally introduced by Hopper and Blum (Hf, the HB 
protocol aims at authenticating RFID tags to a reader using very lightweight 
operations while reducing its security to a well-known WP-hard problem: the 
learning parity with noise (LPN) problem [Tj . In fact, this protocol only requires 
a matrix multiplication and some basic XOR operations. But Juels and Weis m 
showed later that HB is insecure against adversaries able to interact with tags 
by impersonating readers and then proposed a new variant immune against this 
type of attacks: HB+. As these two protocols were initially studied in a scenario 
of a sequential executions, Katz and Shin [13] extended both security proofs of 
HB and HB+ to a more general concurrent and parallel setting. However, as 
Gilbert, Robshaw and Sibert noted in 0, the security of HB + is compromised 
if the adversary is given the ability to modify messages going from the reader to 
the tag. This model was later known as the GRS security model. 

Since then, many HB-like protocols aiming security in the GRS model were 
proposed. Most notably, we mention the works of Bringer, Chabanne and Dottax 
on HB ++ 0 , Munilla and Peinado on HB-MP [13] and Due and Kim on HB* 0. 
But all these protocols were proven to be insecure in the GRS model, as all of 
them were successfully cryptanalyzed by Gilbert, Robshaw and Seurin in [3. 


Tag (secret X, Y ) 


Reader (secret X, Y) 


Choose 6 6 r {0, l} ky 

Choose v 6 r {0, l} m s.t. Pr[?y = 1 \=r) 
Compute z = aX © bY ® v 


Choose a Gn {0, l} fcx 
Accept iff: 

wt (aX © 6Y © z) < f 


Fig. 1. The Random-HB # and HB# protocols. In Random-HB#, X € F kxXm and 
Y e F 2 yXrn are random matrices, in HB# they are Toeplitz matrices, wt denotes the 
Hamming weight. 


At EuroCrypt ’08, Gilbert, Robshaw and Seurin [HBDj . proposed a new variant 
of HB+ named Random-HB# and its optimized version HB#. In these proto- 
cols, the tag and the reader share some secret matrices X and Y. During an 
authentication instance, both issue challenges of k y -hit and k x - bit length respec- 
tively and the final response of the tag is a m-bit message disturbed by a noise 
vector in which every bit has a probability rj of being 1. 

The details of the Random-HB# and HB# protocols are outlined in Figure d 
and the proposed parameters (inspired from the results of [H]) in Tabled The 
difference between these two versions lies in the structure of the secret matrices 
X and Y : while in Random-HB# these two are completely random, thus needing 
( k x + k y )rn bits of storage, HB# reduces this amount to k x + k y + 2m — 2 by 
using Toeplitz matrices for X and Y. 

Besides generating two random vectors v and b, the operations performed by 
the tag to authenticate itself are very cheap: it only needs two matrix 
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Table 1. HB # Parameter sets proposed in |8I0| . P FR and Pfa denote the false rejection 
and false acceptance rates respectively. In the set III, the Hamming weight of the error 
vector v generated by the tag is smaller than t. 


Parameter set 

k x 

k y 

m 

V 

t 

Pfr 

Pfa 

I 

80 

512 

1164 

0.25 

405 

2 -45 

2 -83 

II 

80 

512 

441 

0.125 

113 

2 -45 

2 -83 

III 

80 

512 

256 

0.125 

48 

0 

2 -81 


multiplications to compute aX and bY which can be implemented using ba- 
sic AND and XOR operations along with two bitwise XOR operations between 
two m-bit vectors. In some variant, the tag generates a random error vector v 
until it has weight no larger than t requiring the tag to be able to compute a 
Hamming weight wt. 

Random-HB# is also accompanied with a proof of security in the GRS se- 
curity model if the parameters satisfy the condition rnrj < t < m/2. Under 
the conjecture that the Toeplitz-MHB puzzle is hard, HB# is also secure in the 
same model. However, both protocols only provide “strong arguments” in favor 
of their resistance against man-in-the middle adversaries and formally proving 
their security in such a model was left as an open problem. 


Our Contribution. In this paper, we present an attack against Random-HB# 
and HB# in a general man-in-the-middle attack where the adversary is given the 
ability to modify all messages. The idea of our attack is to modify the messages of 
a session according to values obtained from a passive attack where the adversary 
eavesdrops on a protocol session between a reader and the tag. 

Through this paper, we will denote b and z (resp. a ) the values sent by the tag 
(resp. the reader) and b and z (resp. a) the value received by the reader (resp. the 
tag) after corruption by the adversary. Thus the tag computes z = aX ® bY ® v 
while the reader checks that wt (aX ® bY © z) < t. 


Outline. Our paper is organized as follows. First, we show how it is possible to 
mount a man-in-the-middle attack against HB# by proposing an algorithm able 
to compute the Hamming weight of the errors introduced by the tag in a session 
( a,b,z ). Then, we provide a complexity analysis of this initial attack needed 
by the man-in-the-middle to fully recover the secret matrices of Random-HB# 
and HB#. Afterwards, we present our optimized attack in Section 4 and give the 
complexity results applied to parameter sets I and II of HB# of Table d After 
that, we investigate some open proposals to limit the Hamming weight of the 
error vector in HB-like protocols and present an attack against the parameter 
set III of HB# shown in Table d At last, we show the lower bounds on the 
parameters for which our attack does not work. 
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2 Basic Attack 

In this section, we show that, contrarily to what was conjectured in jSiDj . both 
Random-HB# and HB# are vulnerable against man-in-the-middle attacks by 
presenting a (non-optimized) attack. 

2.1 Principle 

The core of our attack is Algorithm E] in which $ denotes the cumulative distri- 
bution function of the normal distribution. It shows how an adversary able to 
modify messages going in both directions can compute the Hamming weight of 
the error vector v = aX ffi 6Y ffi z denoted w = wt(p) introduced in a triplet 
( a,b,z ) . The crucial observation is that since z = aX 8 bY ® v, at in each for-loop 
of Algorithm QJ the reader computes the Hamming weight wt (v ffi v) of 

aX®bY®z = aXffi(&ffi6)Fffi(zffiz) = (aX®bY®z)®(aX®bY®z) =v®v 
and accepts iff wt(v ®v)<t. 


Algorithm 1. Approximating w 

Input: a,b,z,n 

Output: P _1 (A) , an approximation of w = wt {aX © bY ® z) 
where P[w) = Pr[wt(i/ ® v) < t] = ) 

Processing: 

1: Initialize c <— 0 
2: for * = 1 ... n do 

3: During a protocol, set a <— a © a, b <— b © 6 and z <— z © z 

4: if reader accepts then 

5: c < — c + 1 

6: end if 

7: end for 


Correctness. We show, that the output of Algorithm Q is indeed an estimation 
of wt(V ffi p). The probability p that a bit of (v © v) is 1 is given by: 



Hence, m—w bits of (p©P) follow a Bernoulh distribution of parameter r/ and the 
other w bits follow a Bernoulh distribution of parameter 1 — r/, thus wt(^ ffi v) 
follows a binomial distribution. Because of the independence of all bits, the 
expected value and variance of wt(T ffi v) are given by /j = (to — w)rj + u>(l — rf) 
and cr 2 = m? 7 (l — rj) respectively. 

We now define the function P as P(w) = Pr[wt(i^ ffi v) < t]. By the definition 
of the standard normal cumulative distribution function ( I> and the central limit 
theorem, we have that 
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P(w) tts &(u), with u = - — 


(1) 


The random variable ^ thus follows a normal distribution with expected value 
P(w) and variance ^P(w)( 1 - P(w)). To decide whether wt(f') = w or not, the 
estimate ^ for P(wt(v>)) has to be good enough. The difference of the probabil- 
ities is at least P(w + 1) — P(w) « P'(w) which we can compute as 



By taking 


P{w)(l-P(w)) 
• ( P '( u >)) 2 


n = R(w ) with R(w) = 2- 


the probability that |~ — P(w)\ > r|-P'(ui)| is 2$(—0y/2) = erfc(d). With 6 high 
enough, £ yields a estimate of P(us) with precision ±rP'(w). Thus, Algorithm 
n is correct if n is chosen large enough. 

Choice of Input. To determine a reasonable choice for the input n, we have to 
fix values for r and 9. If we can assume that w = wt(b) is an integer close to some 
value wo, we can call Algorithm |T] and r = ^ to infer w = with error 

probability erfc(0) (here, [-J refers to normal rounding). On the other hand, if 
we know that w G (wo — 1, wo + 1}, we can choose r = 1 to infer w by the closest 
value to P~ 1 (f i ). The error probability is ^erfc (6). In both cases, Algorithm □] 
is an oracle of complexity n = ^R(wo) that can be used to compute w given 
a, b, z and succeeding with an probability of error smaller than erfc(d). 

Since we have to recover l secret bits by Algorithm Q erfc(d) should be less 
than the inverse of the number of secret bits l. Using the approximation w 

<p(x)/x when x is large (so is small) we obtain 



and thereby a reasonable choice for 6. 

Recovering the whole secret key. Algorithm|2|shows how to recover the secret 
key by building a system of linear equations with the help of Algorithm Q 

Clearly the complexity of Algorithm 0 is 6 1 {AR(w) + mR(w)) and we have to 
call it i/m times on independent (a, b) pairs to fully recover X and Y, where i 
is the length of the secret key (Note that i = (k x + k y )m in Random-HB# and 
£ = k x + k y + 2m — 2 in HB#). The expected number of errors in the equation 
system defining X and Y is £-erfc(9). The probability that a passive attack gives 
an (a, b) linearly dependent from the i previous ones is 2 k x +k y ■ The number of 
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Algorithm 2. Getting linear equations for X and Y 
Input: a, b, z and w es t the expected weight of 9 = aX © bY © z 
Output: A linear equation aX © bY = c 

Processing: 

1 : Initialize m-bit vector c <— z 

2: Call Algorithm Q] on input ( a,b,z,n = 40 2 f?(w es t)) to get w 
3: for * = 1 ... m do 
4: Flip bit * of z to get z 

5: Call Algorithm [D on input (a, b,z' ,n = 9 2 R(w)) to get w 

6: if w' = w — 1 then 

7: c* «- ct © 1 

8: end if 
9: end for 


passive attacks to get the inputs for Algorithm [21 is thus and can be neglected 
in comparison to the i/m calls of Algorithm |21 


K/m| 


(3) 


Computational complexity. The computational complexity of the given at- 
tack is quite low in comparison to the number of authentications needed: For 
each call of Algorithm [I] we have at most n incrementation of a counter and 
one evaluation of P -1 . For Random-HB#, after running Algorithm El we have 
m linear binary equation systems in k x + k y variables (one for each row of the 
matrix [X T |y T ]), which can thus be solved in 0{m{k x + k y ) 3 ) operations. This 
number is negligible in comparison to the number of authentications needed to 
perform Algorithm El and is even lower for HB#. Throughout the paper we thus 
measure the complexity of our attack in terms of (intercepted) authentications 
between the tag and the reader. 

2.2 Asymptotic Complexity Analysis 

The complexity of the attack is related to the complexity of Algorithm El which is 
in its turn related to the complexity of Algorithm Q Thus, the main component 
of the attack affecting the overall complexity is the input n in Algorithm 0 
Equation 0 yields that n = O((0 2 e' J Y )/(l — 2 rj) 2 ) so the complexity of our 
attack is exponential in u 2 as we can use a 9 logarithmic in l. 

Parameters with optimal complexity. The minimal value of n is reached 
when u = 0 which happens when the estimated value West of wt (v) is 
t — mij 

West = W opt = Y~T2/j ‘ 
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In this case we obtain 


^Oopt) = | 

opt) = • 


1-2 r) 


y/2nmr]{l - rj ) ’ 


R ( w o P t) = -r- 


4 V(l-2r?) 2 


Obviously, our attack has optimal complexity if we can call Algorithm 0 on 
input of valid triplets ( a,b,z ) with wt(b) = u> opt , only. As clearly, for most 
parameter sets the latter is not true for random triplets obtained by passive 
attacks, we would like to manipulate errors in z to reach an expected value of 
Wopt- Unfortunately, due to the hardness of the LPN problem, we cannot remove 
errors from z if w > w opt . However, if w < w opt then we can inject errors in z so 
that the resulting vector has an expected weight of '(Z' op t and the attack remains 
polynomial. This case happens when: 


t > 2mr)(l — rj) , 


using the approximation w es t ~ mrj when a valid triplet (a, b, z) is obtained by 
a passive attack and the false rejection rate of the HB# protocol is negligible. 
Thus in this case, our attack remains optimal. 


Categorization of parameter sets. We have seen, that for u = 0, our attack 
has subquadratic running time. However, even if u = 0(y/ In £)), we obtain a 
polynomial time attack. Thus, from Formula ( 0 ) we distinguish three cases: 

1. Subquadratic complexity: If t > 2m , q(\ — rj) the attack has a complexity of 

0{ ) since Algorithm 0 is called 0(i) times. 

2. Polynomial complexity: t = 2rm?(l — rj) — c^mr](l — rj), c = 0(^/ln ())■. the 
above complexity is multiplied by an e c factor. Thus, Algorithm 0 is still 
polynomial. 

3. Exponential complexity: All other cases. 

Depending on the category of the parameter set, there are different strategies 
to find the triplets (a, b, z) which serve as input for Algorithm 0 (and thus Algo- 
rithm 0) . We present those strategies in the following and give numbers for the 
according parameter sets. 


2.3 Strategy for the Case t > 2mr](l — rj) 

Thanks to the hypothesis t > 2mr/(l — rj), we have that w op t > w = mrj. Thus, 
the best strategy is to optimize the complexity of Algorithm 0 by having a triplet 
(a, b, z) with an error vector of expected Hamming weight w op t- Using a triplet 
(a, b. z) obtained from a passive attack, we can flip the last (w op t — mrj ) /(I — 2 rj) 
bits of z to get v of expected Hamming weight w opt and then use the attack 
described previously. 
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Application to parameter vector II. As these parameters are in the case 
t > 2mr/(l — r/), we can use Algorithm El in its optimum complexity to attack both 
Random-HB# and HB#. After computing w opt = 77.167, P'(w opt ) = 0.0431, 
-R(th op t) = 269.39 and the expected value of w = mq = 55, we have to flip / = 29 
bits to get an expected value close to w opt ■ For Random-HB# the number of 
bits to retrieve is £ = ( k x + k y )m = 261 072 for which we can use 6 = 3.164. The 
total complexity is £9 2 R(w 0 pt ) = 2 29 4 . In the case of HB# the number of secret 
bits is £ = k x + k y + 2m — 2= 1 472 for which we use 6 = 2.265 and end up with 
complexity of £9 2 R(w op t ) = 2 21 . 


2.4 Strategy for t Close to 2mr](l — rf) 

The case t < 2mrj(l — rj) is trickier to address since the expected value of w 
becomes greater than w 0 pt . To achieve the same complexity as the previous 
case we would have to reduce the Hamming weight of v which is infeasible in 
polynomial time due to the hardness of the LPN problem. 

However, if t is a only a little less than 2mq(l — rf) then the expected value of 
w is not far from u; opt . So, we can use Algorithm El without flipping any bit of z 
and the complexity is still polynomial. To further speed up the attack, we can 
remove errors from z in step 9 of Algorithm El until we reach w = w opt which we 
can expect to happen at iteration i = |" "' gs T J° pl j . 

Application to parameter set I. For parameter set I we have t < 2mq(l — r/). 
We first compute w est = mr] = 291, w op t = 228, P'(w op t) = 0.0135, R(w e st ) = 
15 532 and R(w 0 pt ) = 2742.6. For Random-HB#, the number of key bits is £ = 
( k x +k y )m = 689 088 and 6 = 3.308 is enough to guarantee that erfc(0) < 689 ‘ 088 . 
We obtain a total complexity of £9 2 ( Wo ^° pt R(w e st) + =^R(u' 0 pt)) = 2 35,4 . For 
HB#, we have £ = k x + k y + 2m — 2 = 2 918 secret bits to retrieve, so 62 = 2.401 
is enough and we get a total complexity of £9 2 ( ' i; ' ] r" ; ° pt R(w est ) + R(w opt )) = 
226.6 


2.5 Strategy for Lower t 

The case of lower t, the false acceptance rate will be very low but the false re- 
jection rate of HB# becomes high (e.g. 0.5 for t = rriry. Please remember that 
for t < mq, HB# is no longer provable secure in the GRS security model.) 
so that it would require more than one authentication in average for the tag 
to authenticate itself. The main advantage of this approach is that the com- 
plexity of Algorithm 0] becomes exponential. Here, we present a better strategy 
than calling Algorithm El with an triplet ( a,b,z ) obtained by a simple passive 
attack. 

Our goal is to call Algorithm El with a tD es t as low as possible. During the pro- 
tocol, we can set (a, b, z) to (a, b, z(i)v) with v of weight w until the reader accepts 
z. Then, we launch our attack with ( a,b,z ) = ( a,b,z ). A detailed description is 
shown in Algorithm El 
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Algorithm 3. Getting (a, b, z ) with low Hamming weight 

Input: w 

Output: (a, b, z) such that (aX © bY ® z) has low weight. 
Processing: 

1: Pick random vector V of Hamming weight w 
2: repeat 

3: During a protocol with messages (a, b,z), set z = z © V 

4: until reader accepts 


The probability that z gets accepted by the verifier is P(w) which can be 
written in an equivalent way to Equation © as: 

p (w) = J2 j ^ C 4 ) 

For an accepted z, the m — w positions not in the support of v are erroneous 
with probability 

E*=o Etz 0 - vY) 

Vw= (m-w)P(w) • (5) 

On the other hand, the other positions of z in the support of v are non-zero with 
probability 

„ yu (rrvt 1 - ir — 1 ■ - -<)‘) 

s mX) (6) 

Thus, because of the high false rejection rate, if z gets accepted in our MIM- 
Attack with (a, b,z ) = (0, 0, u), we can expect that the error vector v, introduced 
in (a, b, z) the output of Algorithm [3 has weight w est = (m — w)^ + w(l — 

Application to parameter set II with t = 55. Assume that for the param- 
eter set II we set t = mr/ ~ 55. Then, an accepted vector obtained by a passive 
attack will most likely have weight West = (m — w)rjo + w(l — rj^) rj 50 and it 
will take 4 0 2 R(w est ) = 2 30 operations to determine its correct weight. Calling 
Algorithm El e.g., with w = 41, we get (a, b. z) with error vector v of weight 
West = (m — w)r] 4 i + w(l — rjh) ss 33 in p( [-^ = 2 20 authentications and can 
recover the weight of v in another 4# 2 i?(33) = 2 20 operations with Algorithm Q 
We determined the optimal input w by exhaustive search minimizing the sum of 
the complexity of the consecutive execution of Algorithms El and Algorithm El 
The following table we consider parameter sets I and II with modified t. It 
shows the costs to learn one bit about the secret key, i.e. calling A Igor it hm Q wit h 
a random vector obtained by a passive attack in comparison to calling Algorithm 
El first and then Algorithm E] with its output. Note, that recovering successive 
bits is always cheaper. 
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Table 2. Attack cost for the initial bit of the shared key for HB # applied to t = \ijm\ 


Parameter set Algorithm 0 Algorithms El + 0 

I 2 78 2 58 ' 5 

II 2 30 2 21 


3 Optimizing the Attack 

In this Section, we present our best attack on Random-HB# and HB#. First, we 
optimize Algorithm 0 Using an adaptive solution to the weighing problem 0 we 
show how to efficiently recover the error vector. Then, we present our full attack. 

3.1 Optimizing Algorithm 0 

The problem we are solving in Algorithm 0 can be formulated as follows: given a 
rn-bit vector v of Hamming weight w and an oracle measuring the sum of some 
selected bits (Algorithm 0) , what is the minimal number of measurements to 
fully recover i>? 

The naive solution to this problem employed in Algorithm 2 takes m measure- 
ments. A more sophisticated solution to to fully recover a vector v of arbitary 
weight was already given by Erdos and Renyi in 0. They show that the mini- 
mal number of measurements required is upper-bounded by (m log 2 9) / log 2 m. 
To recover v in the given complexity, they define a fixed series of measurements 
for each m. However, in our case, the vector v is known to be of small weight 
(< mr)), which allows us to improve on the solution by Erdos and Renyi. Our 
proposal, Algorithm 0 does not use a fixed series of measurements but takes 
into account the partial information obtained by all previous measurements. 

To determine the error positions in a k-bit window by measuring the weight, 
Algorithm 0 uses a divide-and-conquer strategy: it splits the vector into two 
windows of the same length then measures each of them. For those parts which 
do not have full or zero weight it then applies this strategy recursively leading 
to a lower number of measurements comparing to measuring a fc-bit window bit 
by bit as Algorithm 0 does. 

The number of invocations of Algorithm 0 C w (k), to fully recover a fc-bit 
window with known Hamming weight w by Algorithm 0 is 

( 0 if w = 0 or w = k 

c w {k) = j 1 + E V 2 ( Lfc n(p) { Ci {\k/2\) + C^k/2})) otherwise 

Let C(k) be the average number of invocations of Algorithm 1 to first determine 
the number of errors in a fc-bit window and then recover their positions using 
Algorithm 0 

C(k) = 1 + £ C w (k) Q r, w (l - rj) k ~ w 
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Algorithm 4. Finding errors in | J|-bit windows 

Input: a, b,z,w = wt(aX ® 6Y ® z), a set J C {0, 1, • ■ ■ m} and wj the number of 
non-zero ( dX ®bY ® z) h jeJ 

Output: 7 C J containing the j with non-zero (aX ffi bY ® z)j, j 6 J. 

Processing: 

1: if wj = 0 then 
2: 7 <— 0 

3: else if wj = \ J\ then 
4: 7 <— J 

6: Choose Ji C J such that |Ji| = |jJ|/2j. 

7: Set i/ the m - vector with v'j = 1 iff j e Ji 

8: Call -Algorithm □ on input (a, b, z ® v' , n = 40 2 R(w)) to get w' . 

9: Call Algorithm E| with (a, 6, z, w, Ji,wj t =s (w + | Ji| - w')/2) to get I\ 

10: Call Algorithm El with (a, b, z,w,J\Ji,wj — wj x ) to get h 

11: I < — 7j U I2 

12: end if 


Table 3. Complexity of measuring a 16-bit window for parameter set II 




Parameter Set I 

Parameter Set II 

k 

C(k)% 

1 Cost measurement C{k 

Cost measurement 

2 

11 

315.95 

9.75 

312.43 

4 

9.72 

315.96 

7.404 

312.49 

8 

9.51 

315.99 

6.71 

312.75 

16 

9.51 

3ie.11 

6.69 

313.90 


We note that C(k)/k is minimal when A; is a power of 2. Although, it is clear 
from Table 01 that the number of measurements decreases when k increases, the 
cost of measuring the weight of a A;-bit window also increases faster with k, so a 
good tradeoff is to use k = 8. 

Now that we have an efficient algorithm to find error positions in fixed size 
windows, we introduce Algorithm 01 which takes benefit from Algorithm |H to 
optimize the number of measurements needed to localize the introduced errors 
and output m linear equations. Algorithm 01 splits the error vector introduced in 
a triplet (d, b, z) to rn/k 7-bit windows, each one of these is then recovered using 
Algorithm 01 Additionally, using the learned bits, it adjusts z so that the next 
measurements cost less. The number of calls to Algorithm 01 we need before we 
reach w = w op t, is then 
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Algorithm 5. Optimizing Algorithm El 

Input: a, b, z and w es t the expected value of V = aX © bY © z, k 

Output: A linear equation aX © bY = c 

Processing: 

1 : Initialize m-bit vector c <— z 
2: Initialize M <— 0 

3: Call Algorithm 0 on input (a. b, z. n = 46 2 R(w es t')') to get w 
4: Define a set <S of Ji = {ik + 1, . . . , min((* + 1 )k, m)}, i = l...\^~\ 

5: repeat 
6: Choose J e S 

7: Call Algorithm 0 on input (a, b,z® J,n = 9 2 R{w)) to get w = wt(P AND J) 

8: Call Algorithm 0 with (a, b, z,w, J,wj = (w + \J\ - w') /2) to get I 

9: Set Cj <— Ci © 1 for all* € / 

10: M <— M L) I 

11: Remove J from S 

12: if w > Wopt then 

13: Flip min(|i|, w — w op t) bits Zi for which i S I 

15: else if w < w op t then 

16: Flip min(| J\ 7|, w 0 pt — w) bits Zi for which i g J\I 

17: w *— w + min(| J \ 7|, w opt — w) 

18: end if 

19: until 50 


So the full complexity of Algorithm 0 is given by 

N = e 2 (iR(w e rt ) + \j-i] R(vo pt)) c(k) . 


3.2 Final Algorithm 

The final attack is described in Algorithm 0 The idea is to get a vector with 
low expected weight using Algorithm 0 and then find all the erroneous posi- 
tions inserted by the tag to obtain m linear equations and iterate this until we 
get enough equations to solve and find the secrets X and Y. To get the lower 
complexity, we can flip the last bits of z so that we end up with an expected 
weight of ulopf We note that introducing errors in a full segment as defined by 
Step 4 of Algorithm 0 does not increase the needed number of measurements as 
C V! (k) = Ck~ w (k). Using Formula Q. we deduce the full complexity in terms 
of intercepted authentications as 

[^l* 2 (“<”-«) ■* P + s'r® ' < 7) 

Application to parameter set I. With input k = 8 and in = 300 we 
obtain P(w) = 2~ 7 , w est = 273 and w 0 pt = 228, i = 24, -R(u;opt) = 2742.6, 
R(.West) = 7 026.4. So the full complexity of the attack is then given by Equation 


120 K. Ouafi, R. Overbeck, and S. Vaudenay 


Algorithm 6. Final attack on Random-HB# and HB# 

Input: k, w 

Output: X, Y the secrets of the tag 
Processing: 

1: Initialize <S <— 0 

2: for i = 1 . . . 2 + [T"| do 

3: Call algorithm 01 on input w to get a, b, z with an error vector of expected weight 

West = (m — w)r) w + w( 1 — 

4: if !i,'opt > West then 

5: Flip the last (w op t — mr])/( 1 — 2tj) bits of z 

6: Set West *— Wopt 

7: end if 

8: Call Algorithm 01 on input (a, b. z, w es t, k) to get m linear equations 

9: Insert linear equations in S 

10: end for 
11: Solve <S 


( 0 ) with 9 and l as in Sectional This is 2 25 sessions for HB# and 2 33 8 for 
Random-HB#. 


Application to parameter set II. In this case, we have k = 8, w = 0 and 
West = 55. We flip 29 bits to obtain an error vector of expected weight w opt = 77, 
which yields R(w 0 pt ) = 269.39 and i = 0. The complexity is 2 19 7 sessions for 
HB# and 2 28 1 for Random-HB# 


4 Attacking Parameter Vectors without False Rejections 

To thwart the previous attacks without taking parameter sets with huge m 
or high false rejection rate, we could change the protocol so that the prover 
generates a vector v of constant or bounded Hamming weight like it was proposed 
for parameter set III. In this section we will show that this leads to different 
attacks. 

Assume that the prover accepts (a, b, z) iff w = wt(aX © bY ® z) = t, then 
from this triplet the attacker learns 



It is possible to recover the matrices X and Y by sending z ® v instead of the 
Tag’s response z to the Reader, where v is a m-bit vector of Hamming weight 
2. Doing so, the attacker learns 
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since the verifier accepts z on challenges a, b if there was exactly one error in the 
flipped positions, which is the case with probability ( m ~ w ) (™)/(™). 

The above approach may be generalized to the case where the Hamming 
weight of v is bounded in the original protocol, i.e. if the verifier accepts if w < t 
and the prover discards error vectors which are going to be rejected. This was 
suggested for the parameter vector III. Again, the attacker can replace the Tag’s 
answer z by z®P where v is of weight 2. Now, the attackers response z®v gets 
rejected iff w e {f — 1, t} and the attacker flipped two non-erroneous positions. 
Thus, in the case of a rejection, the attacker learns 

(aX © bY) i = zi, 0 

which happens with probability 

Elo 

q= Ei=o (7M 1 -*?)"*-* 

Application to parameter set III. For the parameter vector III, the attacker 
learns two bits about the secret key every l/q = 2 9 02 « 512 iterations. This is 
16 times faster than an attack by Algorithm Cl and needs only t ■ 2/q = 2 26 
authentications to recover a Random-HB# secret key (2 19 for HB#). 

5 Lower Bounds on Secure Parameters 

In this section, we investigate the lower bounds on the parameter sets for which 
our attack is not effective. We say that HB# is secure if recovering one bit of 
information about the secret key requires an attack with complexity (in terms of 
protocol sessions) within an order of magnitude of at least 2 s and time complexity 
“reasonably comparable” . 

Let us assume that Algorithm 0 succeeds with a total error weight of t = 
wt(z/ © v) when the added error vector has weight w. To obtain this vector, the 
attacker limited to 2 80 operations can choose the input w in any way, such that 
1/P(w) = l/f£(L^t) < 2 80 . Since <£(—10.2) « 2 -80 we can be sure, that the w 
chosen by the attacker satisfies that 

tzJ± = t~(rn-w) V -w(l-ri) > _ 1Q g 

<*=> (m — w)r] + w(l — rj) < 10.2^/mr](l — rj) + t 

— wr] + w(l — rf)< 10.2^mri(l — rj) + t — mq (®) 

u)(l — 2rj) < — mr) + 1 + 10.2y/mri(l — rj) 

** w < j^j(10.2y/mr](l -rf) + t- mrj) . 

Fixing t = [rnrf\ for which our attack has the maximal complexity, we get the 
lowest value for a secure m, thus w = 10 - 2 V™v(i_ ib 

We can now calculate the value w e st by using equations (0 , © and © and 
then by using Formula © with r = 1/2 and 0 = 1/2 (which leads to erfc(0) = 
0.4795) we can estimate the total cost of the attack. By using an exhaustive 
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Fig. 2. Security level in logarithmic scale in comparison to m when t = mt) 


search on m we obtain that m = 1 697 for r]= 1/4 and m = 2 903 for r] = 1/8 is 
the lowest choice achieving 2 S0 -security and 50% of false rejection rate. The full 
results with the intermediates values are summarized in Table 0 

Table 4. Lowest values of m and t = \rnrf\ for which our attack is not effective 


r? m t w West r)w f?® 

1/P(w) n 

0.25 1697 424 364 340 2“ 2 ' 73 2~ 0 ' 7 

2 80 2 80 

0.125 2903 363 242 229 2“ 3 ' 93 2“°' 3< 

5 2 80 2 80 


Following this method we obtain the graphs of Fig. |2| showing how the secu- 
rity scales with growing m. To reach this security with a more acceptable false 
rejection rate (ideally negligible) , it requires m to be higher. 

6 Conclusion 

In this article, we proved that the conjecture about the security of Random- 
HB# and HB# is wrong. We presented a basic attack against these protocols 
that allows to retrieve the shared secret between a reader and a tag. We showed 
a lower bound on the parameter set for which our attack is not effective but such 
parameters are unpractical to use in RFID tags. 

Although it may not be the most effective for all versions, our attack is valid 
against all anterior protocols of the HB family. 
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Table 5. Summary of the complexity of our attacks 


Parameter Set kx kv rn rj t 

Random-HB # HB # 

I 80 512 1164 0.25 405 

2 34 

2 25 

II 80 512 441 0.125 113 

2 28 

2 20 

III(w bounded) 80 512 256 0.125 48 

2 26 

2 19 


There are still new versions in the HB family. PUF-HB, proposed by Ham- 
mouri and Sunar Clauses a physical unclonable function but does not carry any 
proof of security against man-in-the-middle attacks within. Indeed, a closer look 
reveals several possible points of attack for a man in the middle like flipping the 
last bit in the challenge vector a. On the other side, Trusted-HB, proposed by 
Bringer and Chabanne 0, is proved secure against general man-in-the-middle 
attacks. However, this comes at the cost of adding a check on the integrity of the 
error vector using a secure cryptographic hash function which on its own would 
be sufficient to allow authentication by shared secrets. 
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Abstract. We present a general way to get a provably collision-resistant 
hash function from any (suitable) E-protocol. This enables us to both 
get new designs and to unify and improve previous work. In the first 
category, we obtain, via a modified version of the Fiat-Shamir proto- 
col, the fastest known hash function that is provably collision-resistant 
based on the standard factoring assumption. In the second category, we 
provide a modified version VSH* of VSH which is faster when hash- 
ing short messages. (Most Internet packets are short.) We also show 
that E-hash functions are chameleon, thereby obtaining several new and 
efficient chameleon hash functions with applications to on-line/off-line 
signing, chameleon signatures and designated-verifier signatures. 

1 Introduction 

The failure of popular hash functions MD5 and SHA-1 00 lends an impetus 
to the search for new ones. The contention of our paper is that there will be a 
“niche” market for proven-secure even if not-so-fast hash functions. Towards this 
we provide a general paradigm that yields hash functions provably secure under 
number-theoretic assumptions, and also unifies, clarifies and improves previous 
constructs. Our hash functions have extra features such as being chameleon 0 - 
Let us now look at all this in more detail. 

The need for proven-secure hashing. Suppose an important document 
has been signed with a typical hash-then-sign scheme much as PKCS#1 0 - If 
collisions are found in the underlying hash function the public key needs to be 
revoked and the signature can no longer be accepted. Yet there are instances 
in which we want a public key and signatures under it to survive for twenty 
or more years. This might be the case for a central and highly disseminated 
certificate or an important contract. Revocation of a widely disseminated public 
key is simply too costly and error-prone. In such a case, we want to be able to 
trust that collisions in our hash function will not be found even twenty years 
down the line. 

Given the failure of MD5 and SHA-1, it would be understandable, from this 
twenty-year perspective, to feel uncertain about any hash function designed by 
“similar” methods. On the other hand, we may be very willing to pay a (reason- 
able!) computational price for security because documents or certificates of the 
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ultra-importance we are considering may not need to be signed often. In this case, 
hash functions with proven security are interesting, and the faster they are the bet- 
ter. Our contribution is a general transform that yields a plurality of such hash 
functions, not only providing new ones but “explaining” or improving old ones. 

From E to hash. We show how to construct a collision-resistant hash function 
from any (suitable) E-protocol. Recall that E-protocols are a class of p opular 
3-move identification schemes. Canonical examples are the Schnorr 0], Fiat- 
Shamir [3 and GQ 0 protocols, but there are many others as well @,0 
001100 . Briefly, our hash function is defined using the simulator 
underlying a strong form of the usual honest- verifier zero-knowledge property of 
E-protocols. (We stress that the computation of the hash is deterministic even 
though the simulator is randomized!) The collision-resistance stems from strong 
special soundness 0 ], a well-studied property of E-protocols. The advantage of 
our approach is that there is a rich history in constructing proven-secure E- 
protocols and we can now leverage this to get collision-resistant hash functions. 
For future reference let us refer to a hash function derived from our approach as 
a E-hash function. 

Damgard 0 and Cramer, Damgard and Mckenzie 0 have previously shown 
that it is possible to design commitment schemes based on E-protocols, but prior 
to our work it has not been observed that one can design collision-resistant hash 
functions from E-protocols. Note that secure commitment is not known to imply 
collision-resistant hashing and in fact is unlikely to do so because the former can 
be based on one-way functions 0 and the latter probably not 0 . Perhaps as 
a consequence, our construction requires sli ghtl y stronger properties from the 
E-protocols than do the constructions of [13, 0 ■ 

Specific designs. The Schnorr 0 and GQ 0 schemes are easily shown to 
meet our conditions, yielding collision resistant E-hash functions 9-C-Sch and 
OS-QQ based, respectively, on discrete log and RSA. More interesting is the 
Fiat-Shamir protocol TS 0. It doesn’t satisfy strong special soundness but we 
modify it to a protocol STS (strong TS) that we prove does under the factor- 
ing assumption, thereby obtaining a E-hash function 9i-SJS- From a modified 
version of the Micali-Shamir protocol j2§| we obtain a E-hash function r H-S l MS 
with security based on the SRPP (Square Roots of Prime Products) assumption 
of 0 - We also obtain a E-hash tH-Ol^a from Okamoto’s protocol 0 and a 
pairing-based E-hash from an identification protocol of j3] derived from 

the identity-based signature scheme of Hess 0 - 

How FAST? One question we consider interesting is, how fast can one hash 
while maintaining a proof of security under the standard factoring assumption? 
Figured compares tK-STS to the fastest known factoring-based functions and 
shows that the former emerges as the winner. (VSH is faster than all these, 
but is based on a non-standard assumption related to the difficulty of extract- 
ing modular square roots of products of small primes. We will discuss VSH, 
and our improvement to it, in a bit.) In Figured Sf-‘Da is the most efficient 
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Fig. 1 . Performance of factoring-based hash functions. The modulus and output size 
are 1024 bits and the block size is 512 bits. “Pre” is the amount of pre-computation, 
in number of group elements stored. The table entry is the rate, defined as the average 
number of bits of data hashed per modular multiplication. 


factoring-based instantiation known of Damgard’s claw free permutation-based 
hash function BEE!- i#-5‘T is the hash function of Shamir and Tauman 
|5sj| - The table entries are the rate, defined as the average number of bits of 
data hashed per modular multiplication in MD mode with a block size of 512 
bits and a modulus and output size of 1024 bits. The figure shows that without 
pre-computation, H-SJS is twice as fast as 9{-‘. Da and 9 times as fast as H-S*!- 
But “H-SJS is amenable to pre-computation based speedup and O-C-Da is not, 
so the gap in their rates increases swiftly with storage. O-C-S^ is also amenable 
to pre-computation based speedup but O-t-S^S remains a factor 4 faster for any 
given amount of storage. We also remark that additionally H-S7S is amenable 
to parallelization, unlike the other functions. We remark that is faster 

than H-S7S but based on a stronger assumption. In Section 0 we recall 9{-‘Da 
and f#-5T and justify the numbers in Figure 0 We also discuss implementation 
results. 

Features of E-hash functions. Krawczyk and Rabin introduced 
chameleon hashing. The functions they show have this property are that of H 
— !tf-Sch in our taxonomy — and Shamir and Tauman add one more 

example, namely ‘H-S r E ■ We add five more examples, namely QQ, O-i-SJ-S , 
‘H-S C MS ■ 9{-Oka. and Ji-'HS . We obtain this as a consequence of a general result 
(Theorem EJ) showing that any E-hash is chameleon. 

Chameleon hashing has numerous applications. One of these is Shamir and 
Tauman’s 0 chameleon hash based method for on-line, off-line signing. This 
means that when one uses a E-hash one can completely eliminate the on-line cost 
of signing. (This cost is shifted entirely to the off-line phase.) This compensates 
to some extent for the reduced efficiency of E-hash functions compared to con- 
ventional ones. (MD5 and SHA-1 are not chameleon and do not allow one to use 
the Shamir-Tauman construction.) Another application is chameleon signatures 
0, which provides a recipient with a non-repudiable signature of a message 
without allowin g it to prove to a third party that the signer signed this message. 
As explained in 0 this is an important tool for privacy-respecting authenticity 
in the signing of contracts and agreements. Finally, chameleon hash functions 
are used in designated- verifier signatures to achieve privacy 00. By adding 
new and more efficient chameleon hash functions to the pool of existing ones we 
enable new and more efficient ways to implement all these applications. 
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Another attribute of E-hash functions is that they are keyed. While one can, 
of course, simply hardwire into the code a particular key to get an unkeyed 
function in the style of MD5 or SHA-1, it is advantageous, as explained in ||, 
to allow each user to choose their own key. The reason is that damage from a 
collision is now limited to the user whose key is involved, and the attacker must 
re-invest resources to attack another key. This slows down the rate of attacks 
and gives users time to get patches in place or revoke keys. 

Finally, the reductions underlying the security proofs of E-hash functions are 
tight, so that the proven security guarantees hold with normal values of the 
security parameters. 

A reverse connection. As indicated above, Theorem El shows that E-hash 
functions are chameleon. Theorem Q] shows that the converse is true as well. 
Namely, all chameleon-hash functions are E-hash functions. We prove this by 
associating to any chameleon hash function a E-protocol SI? such that apply- 
ing our E2H (E-to-hash) transform to 5T returns 0~C. We thereby have a charac- 
terization of chameleon hash functions as E-hash functions, which we consider 
theoretically interesting. We also obtain numerous new E-protocols, and thus 
identification protocols and, via mi, commitment schemes, from existing 
chameleon hash functions such as tH-Da m and tf-ST 0 However, we are 
not aware of any practical benefit of these constructs over known ones. 

Unifying previous work. 9{-Scli turns out to be exactly the classical hash 
function of Chaum, Van Heijst and Pfitzmann 0 , and 94-Ofca an extension 
thereof flfl ]. (Our other hash functions O-C-QQ, O-C-SJ-S, t H-S c MS and J-f-J-iS are 
new.) The re-derivation of these two hash functions as E-hashes sheds new light 
on the designs and shows how the E paradigm explains and unifies previous 
constructs. 

But the most interesting connection in this regard is one we make between 
VSH m and 9{-SMS, the E-hash function emanating from the protocol of Mi- 
cali and Shamir 0- The latter is a more efficient version of the Fiat-Shamir 
protocol in which the public key, rather than consisting of random quadratic 
residues, consists of small primes. Interestingly H-S^MS turns out to be the VSH 
compression function □ modulo some details. We suggest that this provides 
some intuition for the VSH design. It turns out that we can exploit this connec- 
tion to get some improvements to VSH. 

VSH*. In number-theoretic hashing there is (as elsewhere) a trade-off between 
speed and assumptions. We saw above that 9{-S!FS is the fastest known hash 
function under the standard factoring assumption. We now turn to non-standard 
factoring-related assumptions. Here the record-holder is VSH 0 with a proof 
based on the VSSR assumption of 0 . Our contribution is a modification VSH* 
of VSH that is faster for short messages. (Our implementations show that VSH* 
is up to 5 times faster than VSH on short messages. On long messages they 
have the same performance.) This is important because short messages are an 
important case in practice. (For example, most Internet packets are short.) VSH* 
remains provably collision-resistant under the same VSSR assumption as VSH. 
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We provide analogous improvements for the Fast- VSH variant of VSH provided 
by jlH. Again we can provide Fast-VSH* whose underlying compression func- 
tion (unlike that of Fast-VSH) is proven collision-resistant, leading to speedups 
in hashing short messages. However, the speed gains are smaller than in the 
previous case. 

Overall we believe that, even putting performance aside, having a collision 
resistant compression function underlying a hash function is a plus since it can 
be used directly and makes the hash function more misuse-resistant. 

What E-hash functions aren’t. Some recent work mm suggests that 
general-purpose hash functions should have extra properties like pseudorandom- 
ness. E-hash functions are merely collision-resistant and chameleon; they do not 
offer these extra attributes. But as indicated above, E-hash functions are not in- 
tended to be general purpose. The envisaged applications are chameleon hashing 
and proven-secure, reasonable cost (purely) collision-resistant hashing. 

Related work. Damgard 0 presents a construction of collision-resistant hash 
functions from claw-free permutation pairs 0 - As noted above, his factoring- 
based instantiation, based on m and also considered in 0 , 0 , is slower than 
our H-S7S- 

Ishai, Kushilevitz and Ostrovsky m show how to transform homomorphic en- 
cryption (or commitment) schemes into collision-resistant hash functions. This is 
an interesting theoretical connection between the primitives. As far as we can tell, 
however, the approach is not yet practical. Specifically, their quadratic-residuosity 
(QR) based instantiation has a rate of 1/40 (that is, 40 modular multiplications 
per bit) with a 1024 bit modulus. (Their matrix needs 80 rows to get the 80-bit se- 
curity corresponding to a 1024-bit modulus.) Hence their function is much slower 
than the constructs of Figure Din addition to being based on a stronger assump- 
tion (QR as opposed to factoring). Additionally it has a 80 • 1024 bit output so in 
a practical sense is not really hashing. Other instantiations of their construction 
that we know (El Gamal under DDH, Paillier 0 under DCRA) are also both 
slower than known ones and based on stronger assumptions. 

Charles, Goren and Lauter I present a construct based on the assumed hard- 
ness of some problems related to elliptic curves. Their constructs are slower than 
ours and additionally are based on assumptions that are non-standard and should 
be treated with care 0 Lyubashevsky, Micciancio, Peikert and Rosen 0 
present a fast hash function SWIFFT with an asymptotic security proof based on 
assumptions about the hardness of lattice problems 00 , but the proof would 
not seem to yield guarantees for the parameter sizes proposed in 0. In contrast, 
our reductions are tight and the proofs provide guaranties for standard values of 
the security parameters. Bellare and Micciancio’s construction I (whose goal was 
to achieve increment ality) uses random oracles, but these can be eliminated by 
using a small block size, such as one bit. In this case their MuHASH is provably 
collision-resistant based only on the discrete-log assumption, and runs at 0.33 bits 
per group operation in MD mode. In comparison, 9{-Sdi (also discrete log based) 
is faster, at 0.57 bits per group operation in MD mode. 
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2 Definitions 

Notation and conventions. We denote by oi|| • ■ ■ ||a n a string encoding of 
ai, ... ,a„ from which the constituent objects are uniquely recoverable. We de- 
note the empty string by e. Unless otherwise indicated, an algorithm may be 
randomized. If A is a randomized algorithm then y <—$ A(x 1 ,...) denotes the 
operation of running A with fresh coins on inputs X\ , . . . and letting y denote the 
output. We denote by [A(x \ ,...)] the set of all y that have positive probability of 

being output by A on input xi, If S' is a (finite) set then s <— » S denotes the 

operation of picking s uniformly at random from S. If X = x-\ || rc 2 1| • • • \\x n , then 
aqlla^ll ...x n *—X denotes the operation of parsing X into its constituents. Sim- 
ilarly, if X = (aq, x -2 - ■ ■ ■ ■ x n ) is an n-tuple, then (aq, aq, . . . , x n ) *— X denotes 
the operation of parsing X into its elements. We denote the security parameter 
by k, and by l k its unary encoding. Vectors are denoted in boldface, for example 
u. If u is a vector then |u| is the number of its components and u[z] is its z-th 
component. “PT” stands for polynomial time. 

E-protocols. A E-protocol is a three-move interactive protocol conducted by a 
prover and a verifier. Formally, it is a tuple VP = (K, P, V, CmSet, ChSet, RpSet), 
where K, P are PT algorithms and V is a deterministic boolean algorithm. The 
key-generation algorithm K takes input l k and returns a pair ( pk,sk ) consisting 
of a public and secret key for the prover. The latter is initialized with pk, sk while 
the verifier is initialized with pk. The parties interact as depicted in Figure |2I 
The prover begins by applying P to pk, sk to yield his first move Y £ CmSet (pk), 
called the commitment, together with state information y, called the ephemeral 
secret key. The commitment is sent to the verifier, who responds with a chal- 
lenge c drawn at random from ChSet (pk). The prover computes its response z by 
applying P to pk,sk, the challenge and the ephemeral secret key y. (This compu- 
tation may use fresh coins although in the bulk of protocols it is deterministic.) 
Upon receiving c the verifier applies V to the public key and transcript Y||c||z 
of the conversation to decide whether to accept or reject. We require complete- 
ness, which means that an interaction between the honest prover and verifier is 
always accepting. Formally, for all k G N we have d = 1 with probability 1 in 
the experiment 

(pi, si) <— * K(l fe ); (Y,y) <— * P(pi,si); C <— s ChSet (pi); 
z * — * P(pi, si, c,y); d «- V(pi,Y||c||z). 

The verifier given pi, Y||c||z should always check that Y £ CmSet (Y) and 
C G ChSet(pi) and z G RpSet(pi) and reject otherwise. We implicitly assume 
this is done throughout. 

Security notions. We provide formal definitions of strong special soundness 
(sss) and strong honest verifier zero-knowledge (StHVZK). Strong special sound- 
ness of E-protocol VP = (K, P, V, CmSet, ChSet, RpSet) |3] asks that it be com- 
putationally infeasible, given only the public key, to produce a pair of accepting 
transcripts that are commitment-agreeing but challenge-response-disagreeing. 
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Prover Verifier 

Input: pi, sk Input: pk 

(Y,y) P(pi, sk) X . 

- S c 4-s ChSet (pi) 

z P (pic, sk, y,c) 2 >- d <— V(pi, Y||c||z) 

Fig. 2. E-protocol. Keys pk and sk are produced using key-generation algorithm K. 


Formally an sss-adversary, on input pk, returns a tuple (Y, Ci, Zi, C 2 , Z 2 ) such 
that Y e CmSet(pi); Ci, c 2 G ChSet(pi); Zi,z 2 G RpSet(pi) and (Ci,Zi) ± 
(c 2 , z 2 ). The advantage Adv s ^ A (k) of such an adversary is defined for all k G N 
as the probability that V(pi, Y||ci||zi) = 1 and V(pk. Y||c 2 ||z 2 ) = 1 in the 
experiment where K(l fc ) is first executed to get ( pk,sk ) and then A(pk) is ex- 
ecuted to get (Y, Ci, Zi, c 2 , z 2 ). We say that S'P has strong special soundness 
if Adv^ yl (-) is negligible for all PT sss-adversaries A. To define StHVZK, let 
Trsp be the algorithm that on input pk,sk executes P and V as per Figure [21 
and returns the transcript Y||c||z. Recall that a PT algorithm Sim is a HVZK 
simulator for if the outputs of the processes 

( pk,sk ) <— * K(l fe ); Return (pi, Sim (pi)) 

and 

(pi, si) f— * K(l fc ); Return (pi, ( Tr s > P (pk, sk)) 

are identically distributed. We say that a PT algorithm StSim is a strong HVZK 
(StHVZK) simulator for S'P if StSim is deterministic and the algorithm Sim 
defined on input pi by 

C ChSet (pi); Z <— * RpSet(pi); Y <— StSim(pi, C,z); Return Y||c||z 
is a HVZK simulator for S‘P. We say that S<P is StHVZK if it has a PT StHVZK 
simulator. We denote by E(sss) the set of all E-protocols that satisfy strong 
special soundness and by E (StHVZK) the set of all E-protocols that are strong 
HVZK. 

Discussion. While the basic format of E-protocols as 3-move protocols of the 
type above is agreed upon, when it comes to security properties, there are differ- 
ent choices and variations in the literature. Our formalization of strong special 
soundness is from j3|. Strong HVZK seems to be new, but is natural since we 
will find many protocols that posses it. 

Collision-resistant hash functions. A family of n-input hash functions 
(where n > 1 is a constant) is a tuple 9{ = (KG, H,Di, . . . ,D n ,R). The key- 
generation algorithm KG takes input l fe and returns a key K describing a partic- 
ular function H k '■ Di(K) x . . . D^AT) — > R(AT). As this indicates, Di, . . . , D n , R 
are functions that given K return sets. A cr-adversary, on input K returns 
distinct tuples (xi , . . . , x n ), {y \, . . . , y n ) such that Xi,yi G D,(A') for all 1 < 
i < n. The advantage Adv^ B (fc) of such an adversary B is defined for all 
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k £ N as the probability that H (K, x \, . . . , x n ) = H (K, y-\, . . . , y n ) in the ex- 
periment where KG(l fe ) is first executed to get K and then B(K) is executed 
to get ((aci , . . . , x n ). (j/i, ... , y n )). We say that ttf is collision resistant if the cr- 
advantage of any PT adversary B is negligible. 

3 S-Hash Theory 

This section covers the theory of E-hash functions. We present and justify the 
E2H transform that turns a E-protocol S4 3 £ E(sss)flE(StHVZK) into a collision- 
resistant hash function tH-StP. Then we find E-protocols which we can prove 
have the required properties and derive specific E-hash functions. Finally we 
relate E and chameleon hash functions. In Sectional we discuss the practical 
and performance aspects of our E-hash functions. 

The transform. We show how to build a collision-resistant hash function from 
any E-protocol SIP = (K, P, V, CmSet, ChSet, RpSet) G E(sss) n E(StHVZK) 
that satisfies strong special soundness and strong HVZK. Let StSim be a strong 
HVZK simulator for StP. We define the 2-input family of hash functions H = 
(KG, H, ChSet, CmSet, RpSet) by KG = K« and H pJf (c,z) = StSim(pk,c,z), 
where K^ 1 ' is the algorithm that on input l k lets ( pk,sk ) <— * K(l fc ) and returns 
pk. In other words, the key is the prover’s public key. (The secret key is dis- 
carded.) The inputs to the hash function are regarded as the challenge and 
response in the E-protocol. The output is the corresponding commitment. The 
existence of a StHVZK simulator is exploited to deterministically compute this 
output. We refer to a family of functions defined in this way as a E-hash. We write 
9{ = E2H(5'P) to indicate that Of has been derived as above from E-protocol 
SIP. The following theorem says that a E-hash family is collision-resistant. 

Theorem 1. Let S<P = (K, P, V, CmSet, ChSet, RpSet) G E(sss) n E(StHVZK) 
be a T,-protocol. Let Of = (KG, H, ChSet, RpSet, CmSet) = E2H(5fP) be the 
family of hash functions associated to StP as above. For every cr adversary B 
against Of there exists an sss-adversary A against SIP such that for all k we have 
Ad v# >B (fc) < Adv^'“(fc), and the running time of B is that of A. 1 

The proof of this theorem, given in 0, is simple, but we note some subtleties, 
which is the way it relies on the (strong) HVZK and completeness of the 
E-protocol in addition to the strong special soundness. To construct E-hash func- 
tions we now seek E-protocols which we can show are in E(sss) D E (StHVZK). 

Overview of constructions. We begin, as illustrative examples, with the 
Schnorr 0 and GQ 0 E-protocols, which we can easily show to have the 
desired properties. The discrete log based E-hash Of-Sch obtained in the first 
case is that of 0 and its re-derivation as a E-hash sheds new light on its design 
and also shows how the E-hash paradigm unifies and explains existing work. The 
RSA based E-hash tH-QQ obtained in the second case is new. More interesting 
is the Fiat-Shamir E-protocol. It doesn’t satisfy strong special soundness, 
but we modify it to a E-protocol STS that we prove is in E(sss) n E (StHVZK) 
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Algorithm K(l fc ) 
((G),p,g)^*g(l k ) 
x <— * Z p 

X *— g ~ x ; sk <— x 
P k <— ((G),p,g,X) 
Return (pk, sk) 


Prover Verifier 

y * $ Zp ; Y < g y _X+ 

, c C <-$ Zp 

Z +— y + x ■ C mod p z , d <— ( X c t 


= Y) 


H p k : ZpXZp — > G 
H p i(c, z) = X°g z 


Fig. 3. Scfi E-protocol and the derived E-hash family, where Q is a prime-order group 
generator 


under the standard factoring assumption. With non-standard factoring-related 
assumptions (that it is hard to extract modular square roots of products of small 
primes) we get a faster E-hash fft-SfMS from a modification of the Micali-Shamir 
E-protocol |2§|. In 0 we show how to get another discrete-log based E-hash from 
Okamoto’s protocol 0 and a pairing based one from the HS protocol am 
We proceed to the details. 

Scfi. We fix a prime-order group generator, by which we mean a PT algorithm 
Q that on input l k returns the description ( G ) of a group G of prime order 
p £ {2 fe_1 , . . . , 2 fc — 1} together with p and a generator g of G. The key-generation 
process and protocol underlying the Scfi E-protocol of 0 are then as shown 
in Figure C3 The algorithm that on input pk = (( G),p,g,X ) picks C, Z <— * Z p 
and returns X c g z ||c||z is a HVZK simulator for Scfi, so Scfi £ E(StHVZK) 
and the derived E-hash Sk-ScH is as shown in Figure 01 The key observation 
for strong special soundness is that if X Cl g Zl = X C2 g y ' 2 and (ci,Zi) ^ (C 2 ,z 2 ) 
then it must be that Ci ^ c 2 . To sss-adversary A, this leads us to associate 
the discrete log finder D that on input (G),p,g,X runs A on the same in- 
put to get (Y, Ci, Zi, C 2 , z 2 ) and returns (z 2 — Zi)(Ci — C 2 ) -1 modp. Then for 
all k we have AdvJ c | A (k) < Adv(*i D (fc), where the latter is defined as the 
probability that x' = x in the experiment where we let ((G), p, g ) «— * <y(l fc ) 
and x <— * Z p and then let x' <— * D((G),p , g, g x ) . This shows that Scfi has strong 
special soundness as long as the discrete log problem is hard relative to Q. By 
Theorem 0 Sf-Scfi is collision-resistant under the same assumption. 

QQ , We fix a prime-exponent RSA generator with associated challenge length 
L(-), by which we mean a PT algorithm Q Tsa that on input l fc returns an RSA 
modulus N £ {2 fc_1 , . . . , 2 k — 1} and an RSA encryption exponent e > 2 L W that 
is a prime. The key-generation process and protocol underlying E-protocol QQ of 
0 are then as shown in Figure 0 The algorithm that on input pk = ( N , e,l,X) 
picks c <— * (0, 1} Z ; z ■<— $ and retmrns Y||c||z, where Y = z°z 2 mod iV, is 
a HVZK simulator for QQ, so QQ £ Z(StHVZK) and the derived S-hash 
9S-QQ is as shown in Figure El Again observe that if X Cl zf = A C 2 z| and 
(Ci,Zi) 7 ^ (c 2 ,z 2 ) then Ci / c 2 . To adversary A attacking the strong spe- 
cial soundness, this leads us to associate the inverter I that on input N, e, X 
runs A on input N,e,l,X where l = L(Llog 2 (Y)J + 1) to get (Y, Ci, Zi, c 2 , z 2 ) 
and returns (z 2 zJ" 1 ) { 'A' a mod N where a,b satisfy ae + 6 (Ci — c 2 ) = 1 and are 
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Algorithm K(l ,s ) 
(JV,e)^s£sa( I") 
Z* N 

X «- x~ e mod N 
l <— L(fc); sk <— x 
pk <- (N, e , l , X) 
Return ( sk,pk ) 


Prover Verifier 

y <— s Zjy; 

Y <— y e mod N X » 

, c C <-* {0, . . . , 2* - 1} 
z <— x c ■ y mod V z , d <- (Y = X c • z e mod V) 
H p k : {0, . . . , 2 l - 1} X Z* N -► Z* N 
H pJc (c, z) = A°z e mod N 


Fig. 4. QQ E-protocol and the derived E-hash family, where ^ rS a is a prime exponent 
RSA generator with associated challenge length L 


found via the extended gcd algorithm. (This is where we use the fact that 
e is prime.) Then for all k we have Adv^^(fc) < Adv T g^j(k), where the 
latter is defined as the probability that x = x in the experiment where we 
let ( N , e) <— * ^ rsa (l fc ) and x <— * Z* N and then let x' <— * I(N, e, x e mod N) . This 
shows that QQ, has strong special sotmdness if RSA is one-way relative to ^ rsa . 
By Theorem d ttf-QQ, is collision-resistant under the same assmnption. 

ffS and SJ-S- We fix a modulus generator, namely a PT algorithm Q mo d that 
on input l k returns a modulus N G {2 fc_1 , . . . , 2 k — 1} and distinct primes p, q 
such that N = pq. We also fix a challenge length L(-). If c is a /-bit string and 
u G {Z* N ) 1 then we let u° = n u [*] c ^ where the product is over X < i < l and c[i] 
denotes the i-tli bit of C. The key-generation algorithm and protocol underlying 
the ffS E-protocol are then as shown in Figured However this protocol does 
not satisfy strong special soundness because if Y||c||z is an accepting transcript 
relative to pk = (N,l, u) then so is Y|cj|z / where z 7 = N — z. We now show 
how to modify !fS so that it has strong special soundness. First, some notation. 
For w G Zjv we let [w]jv equal w if in < N/2 and N — w otherwise. Let = 
Z* v n {1 . . . . , N/2}. The modified protocol STS (Strong TS) is shown in Figured 
Here CmSet, ChSet are as in TS but RpSet((V, /, u)) is now equal to Z^ rather 
than Z* v as before. In 0 we show how to associate to any PT sss-adversary 
A a PT factoring adversary B such that for all k G N we have Adv^- A < 
2 • Adv^X d ,s(^)) where the latter is defined as the probability that r G {p, q} 
in the experiment where we let ( N,p,q ) <— * ^ mo d(l fc ) and r<—$B(N). (Briefly, 
if Y||ci||zi and Y||C2 ||z 2 are accepting transcripts then if Ci T °2 we obtain the 
square root of some component of the public key and if Ci = C 2 but Zi ^ z 2 
then Z i , z-2 are non- trivial square roots of the same square and we can factor N.) 
This shows that STS has strong special sotmdness under the standard hardness 
of factoring assumption. Now, the algorithm that on input pk = (N, l, u) lets 
c«— *{0,1}'; z <— * Z^\ Y <— u c • z 2 mod N and returns Y||c||z is a HVZK 
simulator for STS. Accordingly STS € Z(StHVZK) and we derive from STS 
the E-hash family tH-STS shown in Figured Theorem d implies that tH-STS is 
collision resistant under the standard factoring assumption. 

tMS and SALS. The Micali-Shamir protocol n is a variant of TS in which 
verification time is reduced by choosing the coordinates of u to be small primes. 
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Algorithm K(l fc ) 
(N,p,q)^g mod (l k )- 
l <- L(fc); 

For i = l,...,l do 

s[i] <— » ZJj-; u[z]^s[i]- 2 
sk <- s; pk <- (IV, l, u) 
Return pk, sk 

Prover 
y <— $ Z * N ; 

Y <— y 2 

z ^ y • s c 

Verifier 

Y [ 

, c C {0, 1} ! 

z > d <- (Y = u c • z 2 ) 

Algorithm K(l fc ) 

Prover 

Verifier 

l <- L(k) 

y <— $ ; 


(N,p,q, u) «-*§»( i fc ) 

Y <— y 2 

Y | 

For i =s 1, . . . , l do 


, c c <-* (0, 1}' 

s[i] <— * SQR(u[i] _ 1 ,p, q) 
pk <- (N, l, u); sk < — s 
Return pk, sk 

z [y • s‘ 

z > d <— (Y = u° • z 2 ) 


H pi : {0, 1}* X Z+ -» Z* N 
Hpk(c, Z) = u° • Z 2 


Fig. 5. !FS, SIS, MS and SMS protocols and the S-hash derived from SIS, SMS- 
The upper left key-generation algorithm is that of !FS and SJS, while the lower left 
one is that of MS and SMS . The upper protocol is that of JS and MS while the lower 
protocol is that of SJS and SMS . Here (jmod is a modulus generator and Qsp is a small 
prime modulus generator. The computations are in Z* N , meaning modulo N. 


As with JS it does not satisfy sss, but we can modify it to do so and thereby 
obtain a collision-resistant hash function Si-SMS that is faster than Si- SIS at 
the cost of a stronger assumption for security. To detail all this, let tfyp be a small 
prime modulus generator with challenge length L(-), by which we mean a PT 
algorithm that on input l k returns a modulus N G {2 fc_1 , . . . , 2 k — 1}, distinct 
primes p, q such that N = pq, and an L(k) -vector u each of whose coordinates 
is a prime in QR(iV) = { x 2 mod N : x G Z* N }. For efficiency we would choose 
these primes to be as small as possible. (For example u[i] is the i-th prime in 
QR(AT).) An spr-adversary B against Qsv,L takes input N and u G (Z* N ) L ^ 
and returns (x,S) where x G h* N and S' is a non-empty subset of {0, l} 1 . Its 
spr-advantage is defined for all k by 


Adv l r P ,n,s( fc ) = Pr = ruw*] 


(mod N) : 


(N,p,q, u) ^ ® ^ S p(l fe ) ; 
(®, S) <-• B(N, u) 


The SRPP (Square Root of Prime Products) assumption 0 says that the spr- 
advantage of any PT B is negligible. Now, Figure 0 shows our modified version 
SMS of the Micali-Shamir protocol. It is in Z2H(StHVZK) for the same reason 
as SJS and hence the derived hash function is again as shown, where SQR(-,p, q) 
takes input w G QR(AT) and returns at random one of the four square roots of 
w modulo N = pq, computed using the primes p, q. Strong special soundness of 
SMS is proven in 0] under the SRPP assumption. Theorem 0 now implies that 
Si-SMS is collision-resistant under the SRPP assumption. 
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E = chameleon. We move from examples of E-hash functions to a general 
property of the class, namely that any E-hash function is chameleon. This is 
captured by the following. 

Theorem 2. Let ST = (K, P, V, CmSet, ChSet, RpSet) £ Z(StHVZK)nZ(sss)n 
Z(sc) be a E-protocol. Then the E-hash family TC-ST = Z2H (StP) = (KG, H, 
ChSet, CmSet, RpSet) is chameleon. 

Refer to 0] for the proof of the above and the relevant definitions. As a conse- 
quence, we obtain the following new chameleon hash functions: Of-QQ, Of -STS, 
H-STiS, df-Ofa, 9f-HS- (df-Sch was already known to be chameleon j^-) This 
yields numerous new and more efficient instantiations of on-line/off-line signa- 
tures I 2 H, chameleon signatures and designated- verifier signatures jrl l4fll|. 

Even more interestingly, we prove the converse. The following theorem says 
that any chameleon hash family is a E-hash family, meaning the result of apply- 
ing our Z2H transform to some E-protocol. 

Theorem 3. Let = (KG, H, ChSet, CmSet, RpSet) be a family of chameleon 
hash functions. Then there is a E-protocol ST = (K, P, V, CmSet, ChSet, RpSet) 
6 Z(StHVZK) D Z(sss) D Z(sc) such that 9{ = Z2H (ST) is the E-hash family 
corresponding to ST. 

The proof is in 0. A ppl ying this to known chameleon-hash functions like Jf-Ta 
(14 1251] and df-ST (34 yields new E-protocols and hence new identification 
schemes and, via UM |, new commitment schemes. 

4 E-Hash Practice and Performance 

In this section we cover practical issues related to E-hash functions, including 
performance, performance comparison with existing constructions and imple- 
mentation results. 

Extending the domain. A E-hash family H as defined above is actually a 
(keyed) compression function since the domain is relatively small. In practice 
however we need to hash messages of long and variable length. This would not 
at first appear to be much of a problem since we should be able to do MD 
iteration |]jj, l28l ]. In fact this is essentially true but one has to be careful about 
a few things. What one would naturally like to do is use the second argument to 
Hpfc as the chaining variable. But this requires that outputs of the compression 
function can be regarded as chaining values, meaning CmSet (pk) be a subset 
of RpSet (pk). Sometimes this is true, as for Jf-QCf, which in this way lends 
itself easily and naturally to MD iteration. But in the case of STS and SIMS 
we have CmSet ((AT, l, u)) = Z* N C £+• = RpSet (( N, l, u)). In 0 we show how 
to resolve these problems by appropriate “embeddings” that effectively allow 
the second input of the compression function to be used as a chaining variable 
at the cost of 1 bit in throughput and in particular allows us to run any of 
our E-hash functions in MD mode. We won’t detail the general transform here, 
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| E-hash |in |KB/s| space | 


H-S7S 

0 

30.85 

n/a 

U-S7S 

4 

67.41 

2048 

tt-SJS 

8 

118.1 

16384 

M-SMS 

0 

914.3 

n/a 


Table 1. Implementation results. Here w is the “width” parameter determining pre- 
computation and the space is the number of group elements that need to be stored. 


but it is instructive to describe the modified compression function. The public 
key has the form (N,l,u,v) where N,l,u are as before and v G QR(iV), and 
Hpi : {0, l} 1 X Z* N — > Z* N is defined by 

H pi: (c, z) = u° • z 2 ■ v* N W mod N, (1) 

where /jv( z) = 0 if z e Z\ T and 1 otherwise. It can be shown that this modified 
function is also a E-hash, meaning the result of applying E2H to a suitably mod- 
ified version of the original E-protocol that retains the sss, StHVZK and sc prop- 
erties of the original. But now CmSet((iV, /, u. v)) = Z* N = RpSet((iV. l,u,v)) so 
MD-iteration is possible. 

Metrics. We measure performance of a hash function in terms of rate, which we 
define as the average number of bits hashed per group operations. (By “average” 
we mean when the data is random.) In this measure, an exponentiation a i— ► A a 
costs 1.5n group operations and a two-fold multi-exponentiation a, b >—> A a B b 
costs 1.75n group operations where n is the length of a and also of b. We will use 
these estimates extensively below. We can consider two modes of operation of a 
given E-hash function namely compression and MD. In the first case the 

data to be hashed by H p k is the full input c, z, while in the second case it is only c. 
(The second input is the chaining variable which is not part of the data.) The rate 
in MD mode is lower than in compression mode for most hash functions. (S!FS is an 
interesting exception.) Compression mode is relevant when the function is being 
used as a chameleon hash, since the data can then be compressed with a stan- 
dard (merely collision-resistant) hash function such as SHA-1 before applying the 
E-hash HE Lemma 1] . MD mode is relevant when one wants to avoid conventional 
hash functions and get the full provable guarantees of the E-hash by using it alone. 
Our performance evaluations will consider MD mode. 

Performance of E-hash functions. 9{- ScH and can be computed 

with one two- fold multi-exponentiation so that they use 1.75 group operations 
per bit of data (in MD mode). We now turn to M.-STS- Since we are considering 
MD mode performance we refer to the MD-compatible version of the function 
from Equation JIJ . (But in fact performance is hardly affected by the modifica- 
tion.) On the average about half the bits of c are 1 so O-t-SJ-S comes in at about 
0.5 modular multiplications per bit. This explains the claim of Figure [I] in re- 
gard to H-SJS without pre-computation. Now we look at how pre-computation 
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speeds it up, using a block size of l = 512 (the same as MD5 and SHA-1) for 
illustration. The method is obvious. Pick a “width” w that divides l and let 
t= l/w. Letting pk = (N,l,u,v) denote the public key, pre-compute and store 
the table T with entries 

T[i, x] = n7=i u [(* — l) w + iT m °d AT (1 < i < t, x £ {0, . . . 2 W - 1}) 

The size of the table is t2 w = IT" jw group elements. Now computing HSU'S 
takes t + 2 = 2 + l/w multiplications since 

H pJc (c, z) = (nLi'Hb ^l) • z 2 ■ u /jv(z) mod N, 

where Xj is the integer with binary representation c[('i — l)to+ 1] . . . c[iw\ (1 < i < 
t). The number of group operations per bit is thus [2 + l/w] /l ~ l/w, meaning 
the rate is w. Figured showed the storage and this rate for w = 4 and w = 8. 

Analytical assessment of the performance of HSfMS is difficult, but we have 
implemented both it and (for comparison) HSUS. The implementation used a 
1024 bit modulus and (for MD mode) a 512 bit block size. Tabled shows that 
HSfMS is about 30 times faster than the basic (no pre-computation) version 
of HSUS. The gap drops to a factor of 15 and 7.5 when compared with the 
w = 4 and w = 8 pre-computation levels of HSU'S, respectively. Note that 
H-SMS here is without pre-computation. (The latter does not seem to help 
it much.) These implementation results are on a Dual Pentium IV, 3.2 GHz 
machine, running Linux 2.6 kernel and using the gmp library 0- 

Comparisons. We now assess performance of previous schemes, justifying 
claims in Section d Damgard (Id} shows how to construct collision-resistant 
hash functions from claw-free permutations Ml. Of various factoring-based in- 
stantiations of his construction, the one of Hai, which we denote H-Tla, 
seems to be the most efficient. The key is a modulus N product of two primes, 
one congruent to 3 mod 8 and the other to 7 mod 8, and the hash function 
Hjv : {0, 1}* x Z* N —* Z* N is defined by H r) = 4 m ■ r s mod N where s = 2 l . 
Since multiplying by 4 is cheap, we view it as free and the cost is then one mul- 
tiplication per bit, meaning 9{-SU-S is twice as fast. But pre-computation does 
not help H-UDa since r is not fixed, and the gap in rates increases as we allow 
pre-computation for HSU'S as shown in Figure d 

The key of Shamir and Tauman’s ji3| hash function is a modulus N and an 
a £ Z* N . With a 1024 bit modulus the chaining variable needs to be 1024 bits as 
well, so that with a 512 bit block size the function would take a 512 + 1024 bit 
input, regard it as an integer s, and return a s mod N. The computation takes 1.5 
multiplications per bit of the full input, which is 1.5 • (1024 + 512) /512 = 4.5 per 
bit of data, meaning the rate is 1/4.5 « 0.22 as claimed in Figured Since a is 
fixed, one can use the standard pre-computation methods for exponentiation. For 
any v dividing 1024 + 512 = 1536, the computation takes 1536/u multiplications 
with a table of 2 V ■ 1536/u group elements. Note that per data bit the rate is 
5 12/ (1536 /u) = v/3. To compare to HSUS we need to choose parameters so 
that the storage for the two is about the same, meaning 2 w (512/w) « 2 u (1536/u). 
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This yields v = 1 for w = 4 and v = 6 for w = 8. This explains the rates shown 
in Figure d 

5 Improvements to VSH 

The performance of a hash function on short inputs is important in practice. (For 
example, a significant fraction of Internet traffic consists of short packets.) We 
present a variant VSH* of VSH that is up to 5 times faster in this context while 
remaining proven-secure under the same assumption as VSH. The improvement 
stems from VSH*, unlike VSH, having a collision-resistant compression function. 
Background. The key of Contini, Lenstra and Steinfeld’s VSH function 0 
is a modulus N product of two primes. The VSH compression function vshjv : 
{0, 1} Z x Z* N — > Z* N is defined by 

vshjv (c, z) = z 2 • nL# m od N, 

where Pi is the i-th prime and C [i] is the i-tli bit of C. The hash function VSH is 
obtained by MD-iteration of vsh with initial vector 1. A curious feature of VSH 
is that the compression function is not collision-resistant. Indeed, vshyfc, z ) = 
vshjv(c, N — z) for any c G {0, 1} ; and z G Z* N . Nonetheless, it is shown in juj 
that the hash function VSH is collision-resistant based on the VSSR assumption. 
The latter states that given N, l it is hard to find x G Z* N and integers ei , . . . , ej, 
not all even, such that x 2 = p® 1 • . . . • pf (mod N). The proof makes crucial use 
of the fact that the initial vector is set to 1. 

VSH*. We alter the compression function of VSH so that it becomes (provably) 
collision-resistant and then define VSH* by MD iteration with the initial vector 
being part of the data to be hashed. The first application of the compression 
function thus consumes much more (1024 bits more for a 1024 bit modulus, for 
example) of the input, resulting in significantly improved rate for the important 
practical case of hashing short messages. For example, the implementation results 
of Table El show speed increases of a factor of 5 over VSH when hashing 1024 bit 
messages. Performance for long messages is the same as for VSH. VSH* and its 
compression function vsh* are provably collision-resistant under the same VSSR 
assumption as VSH. 

The inspiration comes from tH-StMS which we notice is very similar to vsh 
but, unlike the latter, is collision-resistant. The difference is that in ttf-StMS the 
primes u[l], . . . , u[/] , v — referring to the MD-compatible version of the function 
from Equation are quadratic residues. But this turns out to be important 
for the completeness of the E-protocol rather than for collision-resistance. This 
leads to the compression function vsh* v : {0, 1} ; X Z* N — > Z* N defined by 

vsh)y(c, z) = (nLft* 1 ) -Pi+ i Z) ' z2 mod N, 

where p, is the i-th prime and C [i] is the i-th bit of c. As a check notice that 
vsh* v (c, z) is unlikely to equal vsh^(c, N — z) because /yv(z) ^ /yv(V — z), mean- 
ing the attack showing vsh is not collision-resistant does not apply. Of course 
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Table 2. The size of the modulus used here is 1024. The block and the input size are 
given in bits. 


|Hash Function | block sis 

:e| input size 

3 1 Iterations! Avg. time| 

|VSH 

1 128 

1 8 X 128 

1 9 1 140ps 1 

|vSH* 

| 128 

| 8 x 128 

| 1 | 25 ps | 


this is not the only possible attack, but the proof of strong special soundness 
of S’MS 0] can be adapted to show that vsh* is collision-resistant under the 
VSSR assumption. Finally VSH* is obtained by MD iteration of vsh* but with 
the initial vector being the first k — 1 bits of the input. For MD-strengthening, 
the standard padding method of SHA-1 is used. 

The implementation results given in Table El were again obtained on a Dual 
Pentium IV, 3.2 GHz machine running Linux kernel 2.6 and using the gmp library 
0 - We set the block size to 128 for both functions and considered hashing a 
1024 bit input. In this case (even taking into account the increase in length 
due to MD strengthening) VSH* needs 1 application of its compression function. 
On the other hand VSH (with their own form of strengthening) needs 9. The 
implementation shows that VSH* is 5.6 times faster. We need to add that our 
implementations (unlike those of 0 ) are not optimized, but our goal was more 
to assess the comparative than the absolute performance of these hash functions, 
and this is achieved because both are tested on the same platform. 
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Abstract. This paper studies the application of slide attacks to hash 
functions. Slide attacks have mostly been used for block cipher crypt- 
analysis. But, as shown in the current paper, they also form a potential 
threat for hash functions, namely for sponge-function like structures. As 
it turns out, certain constructions for hash-function-based MACs can be 
vulnerable to forgery and even to key recovery attacks. In other cases, 
we can at least distinguish a given hash function from a random oracle. 

To illustrate our results, we describe attacks against the Grindahl- 
256 and Grindahl-512 hash functions. To the best of our knowledge, 
this is the first cryptanalytic result on GRINDAHL-512. Furthermore, we 
point out a slide-based distinguisher attack on a slightly modified version 
of RadioGatun. We finally discuss simple countermeasures as a defense 
against slide attacks. 

Keywords: slide attacks, hash function, Grindahl, RadioGatun, 

MAC, sponge function. 

1 Introduction 

A hash function H : {0, 1}* — * {0, l} n is used to compute an n-bit fingerprint 
from an arbitrarily-sized input. Established security requirements for crypto- 
graphic hash functions are collision resistance, preimage and 2nd preimage re- 
sistance - but ideally, cryptographers expect a good hash function to somehow 
behave like a random oracle. 

Current practical hash functions, such as SHA-1 or SHA-2 0. Efij ]. are iter- 
ated hash functions, using a compression function with a fixed-length input, sav 
h : {0, \} n+l — > {0, 1}”, and the Merkle-Damgard (MD) transformation (3, 0] 
for the full hash function H with arbitrary input sizes. The core idea is to split 
the message M into Z-bit blocks M ±, . . . , M m 6 {0, l} 1 (with some padding, to 
ensure all the blocks are of size Z-bit), to define an initial value Xq, and to apply 
the recurrence A, = /i(A, : _i, Mf). The final chaining variable A, ; is used as the 
hash output. The main benefit of the MD transformation is that it preserves 
collision resistance: if the compression function is collision resistant, then so is 
the hash function. Recent results, however, highlight some intrinsic limitations of 
the MD approach. This includes being vulnerable to multicollision attacks 0 , 
long second-preimages attacks 0 , and herding 0 . Even though the practical 
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relevance of these attacks is unclear, they highlight some security issues, which 
designers of new hash functions should avoid. 

In general, and due to certain structural weaknesses, MD-based hash functions 
do not behave like a random oracles. Consider, e.g., a secret key A, a message 
M and define a Message Authentication Code MAC (A, M) = H(K\\M). If we 
model H as a random oracle, this construction meets the expected security 
requirements for a MAC. But for an MD-based hash function H, one can easily 
forge authentication codes: given MAC (A, M) = H(K\\M), compute a valid 
MAC (A, M\\Y) = H(K\\M\ \Y) without knowing the secret key A. Coron et 
al. (jj recently discussed a formal model to prove hash functions being free 
from such structural weaknesses (but still weak against multicollision attacks). 

Our contribution. Newly proposed hash function designs should not suf- 
fer from length extension. So for a new and well-designed hash function, the 
MAC(A, M) = H(K\\M) should be a secure MAC. We will show that this is 
not the case for some recently proposed hash functions. In contrast to the case 
of MD-based hash functions, where one can forge messages but cannot recover 
A, our attacks allow, in general, the adversary to find A (much faster than by 
exhaustively searching for it). 

Our attacks are an application of slide attacks. These are a classical tool for 
block ciphers cryptanalysis, but have so far not been used for hash function 
cryptanalysis. 

The Targets for Our Attacks. A natural idea for thwarting the MD limi- 
tations is to increase the size of the internal chaining variables in the iterated 
process, see, e.g., 0 . Using a similar patch, sponge functions 0 followed the 
idea to employ a huge internal state (to hold a huge chaining variable) and to 
claim a capacity c, typically c>n. This defends against attackers even if these 
can perform 2 n / 2 operations (but are still restricted to -C 2 C / 2 units of work). 
Here n is considered a typical hash function output size (sponge functions may 
also provide for arbitrary output sizes, rather than for a fixed n). 

Several recent hash functions follow this approach, including Grindahl 0 
and RadioGatun |]| . As far as we know, there are no cryptanalytic attack on 
either RadioGatun or the 512-bit version of Grindahl while some collision 
attacks for the 256-bit version of Grindahl have already been published 00. 

In the current paper, we study the applicability of slide attacks for sponge 
functions. Our results indicate that slide attacks can be a serious threat for hash 
functions fitting into the sponge framework. On the other hand, if the hash func- 
tion designer is aware of slide attacks, we believe it is easy to defend against such 
attacks. We give concrete examples by providing attacks against Grindahl 0 
and two slightly tweaked versions of RadioGatun Our attack applies for 
both published flavours of Grindahl, the 256-bit version and the 512-bit version. 
As far as we know, this is the first cryptanalytic result for the 512-bit version. 

Outline: in Section |21 we recall the slide attacks basics, study the case of hash 
functions and focus on the case of sponge functions. Then, in Sectional we give an 
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example by applying our results to the Grindahl hash function and discuss the 
vulnerability of RadioGatun to slide attacks in Section 0 Finally, we describe 
cheap and simple defenses against slide attacks and conclude in Section 0 

2 Slide Attacks 

Block ciphers are often designed as a keyed permutation which is applied many 
rounds. It is a common belief that increasing the number of rounds makes the 
cipher stronger, but this is just true for statistical attacks such as differential or 
linear cryptanalysis. Some attacks can be applied even for block cipher variants 
with an arbitrary number of rounds. This is true for certain related key attacks, 
and for slide attacks. The usual defense is to strengthen the key schedule and the 
keyed permutation itself. Related key attacks have been introduced by Biham 0] 
and independently by Knudsen . Slide attacks j§] utilize the self-similarity of 
the cipher, typically caused by a periodic key schedule. An r round block cipher 
with the same keyed permutation F l in each round can be attacked by slide 
attacks if F l is a weak permutation, i.e. the key used in F l can be found with a 
slid plaintext-ciphertext pair. 

2.1 Slide Attacks on Block Ciphers 

Slide attacks on block ciphers have been applied to some ciphers with a weak 
key schedule (see |fl 13. Ifll. IT3. ITiiL ITU I2 sL Eflj|b The original slide attack j§| works 
as follows. An n-bit block cipher E with r rounds is split into b identical rounds 
of the same keyed permutation F l for i = {1, . . . , b}. In the simplest case we 
have b = r where the key schedule produces the same key in each rouncQ. Thus 
we write the cipher as E = F 1 o F 2 o • • • o F b = F o F o • • • o F. A plaintext Pj 
is then encrypted as 

Pj 4 4 xM 

where XW represents the intermediate encryption value after application of F l 
and X (h) = Cj is the corresponding ciphertext. To mount a slide attack one has 
to find a slid pair of plaintexts ( Pj,Pk ), such that 

Pk = F(P j ) and Ck = F(Cj) (1) 


hold, see also Figure El 

Slide attacks can only be applied to a small class of ciphers with weak permu- 
tations periodic key schedules. A permutation is weak if, given the two equations 
in©, it is easy to extract a non negligible part of the secret key. With 2"/ 2 
known plaintext/ciphertext pairs ( Pi,Ci ) we expect at least one pair satisfying 
Pfc = F l (Pj) among these texts by the birthday paradox. This gives us a slid 

1 Note that F l might include more than one rounds of the cipher. If the key schedule 

produces identical keys with period p then F l includes p rounds of the original cipher. 
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p-i 4 4 x (2) 4 x (3) 4 • • • 4 Cj 

p k 4 x (1) 4 x (2) 4 • ■ • 4 x (6 - 1) 4 c k 

Fig. 1. A slide attack on block ciphers 


pair. Thus, the classical slide attack allows to recover the unknown key of an 
n-bit block cipher using 0( 2"/ 2 ) known plaintexts. 

Advanced sliding techniques like complementation slide and sliding with a 
twist were introduced by Biryukov and Wagner |j|. These techniques allow to 
attack ciphers with a more complex key schedule. The basic concept of comple- 
mentation slide is to slide two encryptions against each other where the inputs 
to the rounds may have a difference which is canceled out by a difference in the 
keys, while an encryption is slid against a decryption using a sliding with a twist 
technique. The realigning slide attack allows to slide encryptions with unslid 
rounds in the middle of the slide. Biham et al. 0 improved the slide attack to 
detect a large amount of slid pairs very efficiently by using the relation between 
the cycle structure of the entire cipher and that of the keyed permutation. 


2.2 Slide Attacks on Hash Functions 

Slide attacks in a hash function setting have attracted very few consideration 
in the literature. To our knowledge, the only paper considers an attack on the 
internal block cipher from SHA-1 jml ] . However, yet no direct way to transform 
it into a practical attack on the hash function has been found. 

Slide attacks for block ciphers are different in some aspects from those applied 
on hash functions. By definition, block cipher computations depend on a secret 
key, and slide attacks are typically employed to distinguish a block cipher from 
a random permutation - and often for a key recovery attack to follow. 

In the hash function case, there is no secret key to recover, just the message to 
be hashed, and the adversary is allowed to know this message - or even to choose 
it. Typical attacks on hash functions are about finding collisions or preimages - 
and it is hard to see how slide attacks could be employed in that context. But even 
for hash functions, a slide property that (or which) can be detected with some 
significant probability will allow us to differentiate the scheme from a random 
oracle. Indeed, with such a property, one can show a non random behavior of the 
hash function. This is already an issue, since hash functions are often utilized 
to simulate a random oracle as they are considered to be the closest practical 
primitive to this theoretical object. Going further, when secret data is used as a 
part of the input of the hash function, one can try to recover some information 
from it. The natural primitive where hash functions handle secret data are of 
course the Message Authentication Codes (MAC), that permit to authenticate a 
message M with a symmetric secret key K. For example, constructions such as 
HMAC 0] are implemented in a lot of different applications and make only two 
calls to a hash function. HMAC has the advantage to only require the internal 
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function to be weakly collision resistant and also to provide secure MACs with 
MD-based hash functions. Note that a HMAC-based patch is one of the new 
domain extension algorithm proposed by Coron et al. jjj| to thwart the simple 
MD-based MACs attacks. Those attacks are no more than a slide attack on the 
MD domain extension algorithm. 

Generally, a good hash function H should provide a good MAC with the fol- 
lowing computations: MAG(K,M) = H(K\\M) or MAC (K,M) = H(K\\M\\K). 
Just like for block ciphers, if the hash function considered is not protected, one 
may be able to recover some non negligible part of the secret key K with a slide 
property that can be detected with a good probability. One has to note a work 
from Sasaki et al. El that attacks prefix, suffix and hybrid approaches for MAC 
constructions by using inner collisions for MD4, and a work from Preneel and Van 
Oorschot H that studies the envelope approache instantiated with MD5. 

2.3 Slide Attacks on “Extended” Sponge Constructions 

We analyze in this section how one can apply slide attacks to sponge-based hash 
functions, a newly introduced framework for building hash functions More 
precisely, we use the “extended” sponge functions, a more general framework. 

The “extended” sponge framework. Assume that H is an iterative hash 
function with an internal state of c words of p-bit each and a final output size 
of n bits. Let M = M 1 ||M 2 || • • • \ \M l be the m x p-bit blocks of the message 
to hash with M l ^ 0 mxp (the message is padded before split into blocks). Let 
M i be the message block hashed at each round i and X 1 the internal state after 
proceeding M l , with X° = IV. We then have X 1 = F(S(X l ~ 1 . M 1 )), where 
F is the round function and S defines how the message is incorporated in the 
internal state. Once all the l message blocks have been processed, r blank rounds 
(rounds with no message input) are applied X 1 = F(X l ~ 1 ) and A := X l+r is the 
final internal state. Finally, we derivate n output bits by using the final output 
function T(X l+r ). Such a hash function can be written as 


H(M) = X° F( ~ s( ~ x °) M l '>'> . . . x i F(X l ) . , . Ta 

where Ta represents the hash output. One has to note that for efficiency reasons 
and since the internal state will be big in practice, F is usually a quite light and 
fast round permutation. 

This framework is really general and especially more general than the origi- 
nal sponge function one. More precisely, in the original model, S introduces the 
message blocks by XORing them to particular positions of the internal state. 
However, in our situation, we can also consider a function S that replaces some 
bits of the internal state by the message bits. We call the former XOR sponge 
and the latter overwrite sponge. Moreover, in the original model, the final out- 
put function T continues to apply some blank rounds and extract some bits 
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from the internal state at the end of each application, until n bits have been 
received. In our framework we can also consider the case where the output 
bits come from a direct truncation of the final internal state A, and we call it 
truncated sponge. 

There are two security issues, related to the general design of sponge functions. 
One issue is invertibility: one can run the function F into both directions. The 
second issue is self-similarity: all the blank rounds behave identically, and even 
a normal round can behave as a blank round if we have A* -1 = S(X t ~ 1 , M z ) 
(the effect of adding the message block is void). In the case of a XOR sponge we 
need M l = 0 and in the case of an overwrite sponge we require that Mi is equal 
to the overwritten part of the internal state. 

We will exploit self-similarity for our slide attacks. The idea is that if one mes- 
sage Mi = M x || . . . || M l is the prefix of message M 2 = M 1 \\ . . . \\M l \\M l+1 , the 
extended state after processing the first l blocks is the same. Now, if X l+1 = 
S(X l , M i+1 ), processing the next message block M l+1 for the longer message is 
the same as the first blank round when hashing the shorter message - the extended 
states remain identical. We call these two messages a slid pair : the two final in- 
ternal states are just one permutation away B := X'- +r+l = F(X l i +r ). The slide 
attack is shown in Table Q Once we were able to generate a slid pair, we need 
to detect it. This fully depends on the output function T. When T is defined 
as in the original sponge framework, it is very easy to detect a slid pair : most 
of the output bits will be equal, just shifted by one round. If T is a truncation, 
we need to do a case by case analysis depending on the strength of the round 
function F and the number of bits thrown away. Yet finding and detecting a slid 
pair already allows us to differentiate the hash function from a random oracle. 

We can try to go further, by attacking a MAC with prefix key, i.e. MAC (A, M). 
Note that such a construction makes sense as using HMAC based on a sponge hash 
function will turn out to be very inefficient. This is due to the fact that hashing 
very short messages (required in HMAC by the second hash function call) is quite 
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slow because of the blank rounds. Therefore, Bertoni et al. 0 proposed to use 
prefix-MAC instead of HMAC. 

Consider a secret key K. For simplicity and without loss of generality, we 
assume some A' to be a uniformly distributed (k x to x p)-bit random value 
(i.e. k message words long), for some public integer constant k. We will write 
K = (K 1 , . . . , K rn ) e ({0, l}' mxp ) fe . The adversary is allowed to choose message 
challenges C,, while the oracle replies MAC (A', C,;) = H(K\\Ci). Ideally, finding 
K in such a scenario would require the adversary to exhaustively search over 
the set of all possible K £ {0,l} fexmxp , thus taking 2 fcxmxp_1 units of time 
on average. Forging a valid MAC depends on the size of the hash output and 
the size of the key, with a generic attack it requires min{2 fcxmxp ~ 1 , 2”} units of 
time. A pair of challenges (C), Cj), with (7* = C\ | Cf 1 1 • ■ ■ | C\ and Cj = C t \ \ Cj 
is called a slid pair for K if their final internal state are slid by one application 
of the blank round function as: 

j^k+l+r+1 _ 

Provided that one can generate slid pairs and detect them, one can also try 
to retrieve the internal state x£ +l+r thanks to this information. Again, a case 
by case analysis is required here. When x^ +l+r is known, one can invert all the 
blank rounds and get X^ +l . Note that with this information, an attacker can 
directly forge valid MACs for any message that contains M as prefix (exactly like 
the extension attacks against MD-based hash functions). If the round function 
with the message is also invertible, we can continue to invert all the challenge 
rounds and get Xf. This will allow us to recover some non trivial information 
on the secret key K. 

A general outline of the attack is as follows: 

1. Find and detect slid pairs of messages 

2. Recover the internal state 

3. Uncover some part of the secret key or forge valid MACs 

The padding is very important here : for the XOR sponge functions, an 
appropriate padding can avoid slide attacks. Indeed, in that case, we require 
M l = 0 rnx P to get a slid pair. This gives an explanation why the condition 
M l 7^ 0 mXp is needed for the indifferentiability proofs of XOR sponge functions. 
However, for the truncated sponge function, a padding is ineffective to avoid 
slide attacks. 

3 Applications 

3.1 The Grindahl Design 

Grindahl is a new hash function introduced by Knudsen et al. in Jri ). that 
fits our extended sponge framework. More precisely, it is an overwrite sponge 
function. There are two concrete instantiations of the Grindahl hash function 
family: a 256-bit and a 512-bit hash function proposed in the original Grindahl 
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paper & The parameters of these instantiations in our framework are defined 
as follows: 

Grindahl-256 |i3 |. Grindahl-256 is a 256-bit hash function with N r = 4 and 
N c = 12. The rotation amounts are (po, • ■ • , pz) = (1,2, 4, 10). 
Grindahl-512 j22i |. Grindahl-512 is a 512-bit hash frmction with N r = 8 and 
N c = 12. The rotation amounts are (po, • • • , Pt) = (1,2,. . . , 8). 

Note that the internal state of Grindahl can also be viewed as a matrix. 
Therefore, we define N r and N c to be the number of rows and columns of p-bit 
word respectively: we have N r x N c = c. For each instance of Grindahl we 
have p = 8. The message chunk entering at each round can then be viewed as 
one column, thus m = N r . 

For Grindahl the padding consists of 10- and length-padding: 

1. 10-padding appends a “l”-bit to the message, followed by as many “0”-bits 
as needed to complete the last message block. 

2. Length-padding then appends the number of message blocks (not bits!) for 
the entire padded message as a 64-bit value. 

One effect of the 10-padding is that the last message block before the Length- 
padding can be any value, except for the all-zero block. (Or equivalently, any 
nonzero block B can be split up into an incomplete block R plus 10-padding: 
B = R + P“ w '. Note that R is Obit long if B = 1000 . . .0.) 

A message M = M 1 \\ . . . \ \M l of 32-bit blocks M l in the case of Grindahl- 
256, and an incomplete block M l , will be padded to Pad(M) = M 1 1| . . . \ \M l + 
P^ 10 " \\M l+1 \\M l+2 , where P“ 1Q " is the 10-padding. This padded message has 
the following properties: 

1. The last-but-two message block is not zero: M l + P^ 10 ' ^ 0 32 . 

2. The final two message blocks contain the 64-bit integer l: (M l+1 \\M l+2 ) = 
l. (From the Grindahl sample implementation, we conclude that the 32 
least significant bits of the 64-bit value are stored in M l+2 , while the high- 
significant bits go into M l+1 .) 

Similarly for Grindahl- 512, a message M = M 1 1 . . . \ \M l of 64-bit blocks 
AT, where M l is also incomplete, is padded to Pad(M) = M [ 1 1 . . . \ \M l + 
Pi 10 || M l+1 has the following properties after padding: 

1. The last-but-one message block is not zero: M l + P^ 10 / 0 64 . 

2. The last message block contains the 64-bit integer l: M l+1 = l. 

Most hash functions for variably-sized inputs iterate an underlying compression 
function for fixed-size inputs. Grindahl is no exception. At the end, the output 
will be the first n/ (p x N r ) columns of of the final internal state. I.e., Grindahl 
is a truncated sponge. Internally, Grindahl uses a state of ( N r x N c ) words 
of pbit each. The compression function takes one m-word message block and 
an ( N r x Af c )-word internal state as its input and generates new internal state 
(again of the size ( N r x N c ) words, of course), as its output. 
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Regarding this compression function, Grindahl follows a general three-step 
design strategy. Assume a m-word message block, which we write as M l and 
a (N r x Ay-word internal state, which we write as a N c tuple of Ay words: 
(X 1 , . . . ,X Nc ) G ({0, ijpxiv^JVc The incorporation step which concatenates a 
message block to the internal state is straightforward: 

S : {0, l} pxNr x {0 , 1 }pxiv r xiv c ^ 1}P xiv r+J) xJV.xiv C! 
S(M\{X l ,...,X N °) = (M\X 1 ,...,X k % 

The (p x N r + p x N r X AT c )-bit output of the incorporating S is the extended 
state (A -0 , . . . , X N °). The second step is a permutation over the extended state: 

F ■ {0 1 yP xN r+PXN r xN c |q 1 jpxJV r .+pxiV r x No 

F(X°,...,X n ‘) = (' Y°,...,Y n “ ), 

F is a permutation based on Rijndael 0 primitives: 

F(AT°, . . . , X N<S ) 

= MixColumns o ShiftRows o SubBytes o AddConstant (X° , . . . , X Nc ) . 

MixColumns. Is a linear matrix multiplication of each state matrix column 
with a constant vector. This transformation is defined as in the Rijndael spec- 
ifications for the 256-bit version of Grindahl. 

ShiftRows. This transformation cyclically shifts bytes a number of positions 
along each row. Thus, the i - th row is rotated by p x positions to the right. 

SubBytes. The only non-linear part of the permutation, exactly defined as the 
SubBytes function of Rijndael. 

AddConstant. This function is a simple XORing of the state matrix with a 
constant matrix M of the same size, where all bytes are zero except for one. 

See n for a detailed description of Grindahl. The third operation is as 
straightforward as the first one - the first p x Aybits of the (p x N r +p x N r x N c )- 
bit extended state are truncated away, to get a new p x N r x N c -bit internal 
state (y 1 , . . . ,Y Nc ): 

R: {0, i}pxAr r +pxAT r xiv ( . {o, i}pxiv r xiv C) _ t Y Nc ) = (y 1 , . . . ,Y Nc ). 

See Figure El for a visual illustration of this design strategy. Note that the final 
truncation in one iteration and the initial concatenation of the 6-bit message 
block in the next iteration together are tantamount to simply overwriting the 
corresponding column of the extended internal state. The final truncation is 
specified as 

T: {o, i}px N r+pxNrxNc |g ; T(y°, . . . ,y N c ) = (y 1 , . . . ,y”/(pxiv- r )T 

Let a be the internal state matrix with N c columns and N r rows, while a 
represents the extended internal state with N c + 1 columns and N r rows. For 
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message block internal state 



truncate 



Fig. 2. The general design of the Grindahl compression function 


a padded message M = M 1 \ \ . . . \ \M d the Grindahl hash function does for 
0 < i < d: 


a «- R{P(S{M\<x))) 

For the last message input M d Grindahl performs a <— P(S(M d ,a)). The 
truncation R is omitted after the last message input and finally 8 blank rounds 
with no message input are performed. These rounds only consists of the P op- 
eration on a. The final output remains after performing the output truncation 
T, which leaves the n-bit output. 

3.2 Slide Attacks on Grindahl-512 

Find slid pairs of messages. Building the challenge that generates a slid pair 
works as follows. We choose a message Mi = Mj’HMi . . . \\M l 1 ~ 1 \\M{, where 
M[ is a non complete block which will be padded. The MAC therefore processes 

Pad(K\ | M x ) = K \ |Mi ||Mi 1 1 . . . | |M-[ _1 | | M\ + P t no ” \\P* 

where p“ 10 ” is the 10-padding to M\ and P/' is the one-block of the message 
length. The value of Pf' can be chosen by the attacker while modifying the mes- 
sage length. For each Mi we build the message M 2 = M?||Mi|| . . . \ \M[~ 1 \\M[ + 
Pi where R is a random incomplete block. The MAC proceeds 

Pad(K\\M 2 ) = A||Mi°||Mi 1 || . . . ((M^^M* + Pi“ 10 ”||P+ P 2 ‘ 10 ”||P 2 L 
and in some cases we have 

Pad(K\\M 2 ) = A||M 1 °||M 1 1 || . . . || M[~ X \\M[ + Pi“ 10 ” ||Pi L ||P 2 L . 

The messages Mi and M 2 only differ in one additional block at the end. A pair 
(Mi, M 2 ) will be a slid pair with probability 2 -64 . Detecting a slid pair is quite 
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Fig. 3. Detecting a slid pair of messages for Grindahl-512. Cells in dark gray mark 
known bytes while cells in light gray mark unknown bytes. The inverse MixColumns 
(MC _1 ) and the inverse ShiftRows (SR -1 ) are the only two operations which are 
important for our analysis: AddConstant and SubBytes functions leave a known (re- 
spectively unknown) bytes known respectively unknown). Therefore we prevent the 
other operations. 


simple. Let Ta = A 0 , . . . , A 7 and Tb = B °, . . . , B 7 be the query output (the 
truncated final internal states A and B). Then the condition B = P(A') holds 
for a slid pair only. We could not directly apply another blank round to A since 
we only know Ta and not A. However, Ta and Tb leave enough information 
for detecting a slid pair. We can invert Tb one blank round and compare the 
resulting bytes with the bytes known from Ta- Thus, we can compare 34 bytes 
of Ta with the known bytes obtained from inverting Tb- In this way we can 
detect a slide pair since one occurs among 2 64 pairs. Using the computation de- 
scribed above we can filter 2 8 ' 34 = 2 272 false pairs. Figure E3 shows the backward 
computation of one blank round. 

Recover the internal state. A challenge (Mi , M2) which produces a slid 
pair ( Ta,Tb ) can be used to recover the final internal state A (corresponding 
to the computation of Mi) just before the final truncation. Since the columns 
A 8 to A 12 are unknown, we have to recover 40 bytes. As shown in Figure 01 
we can directly recover 30 bytes from A by computing Tb one blank round 
backward, exactly as when we tried to detect slid pairs: we can fully invert the 
MixColumns transformation for the eight first columns (where all the bytes are 
known), then it is also very easy to invert ShiftRows, SubBytes and AddConstant 
transformations. So, when looking at Figure 01 it is clear that the attacker can 
directly get 30 unknown bytes from A. The remaining 10 unknown bytes can 
be recovered in a different way. For each possibility among those bytes (2 810 = 
2 80 possibilities), we invert all the blank rounds and check if the last added 
word (the first encountered when computing backward) is P( J . Indeed, when 
inverting the real internal state A, we surely come to the insertion of P^ and 
this can be easily detected since we know this message block and since the 
message insertion overwrite the first column of the internal state. Now we are 
dealing with 2 80-64 = 2 16 possibilities only and we have to be careful, since 
some bytes become undetermined, if we continue the backward computation. The 
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undetermined bytes are those which are replaced by the inserted message word 
during the message input step (due to the overwriting). However, we don’t need 
them to discriminate among the 2 16 lasting possibilities and we can compute one 
more round backward to check if we finally obtain the message word M\ + p“ 10 ” 
inserted. This leaves us the complete internal state A. 

Uncover some parts of the secret key or forge valid MACs. By knowing 
the whole internal state A it is straightforward to invert the blank rounds. With 
this information, we can directly generate new valid MACs for messages which 
contain Mi as prefix: we just have to continue the computation of the hash 
function by ourselves. 

We can also try to invert the rounds where known message words are inserted. 
Some parts of the internal state are undetermined because of the truncation when 
adding message words as mentioned in the previous section. We can guess those 
undetermined columns by only keeping those which lead to the good inserted 
message words in the first column. This is equal to what we did above to recover 
the final internal state. By trying all the possible values of the truncated column, 
we can continue going backward and check which one leads to the known correct 
values of the message blocks inserted a few rounds before. Some trials will lead 
to wrong message blocks inserted and can be discarded. The one leading to the 
good values have a good chance to be the real erased bytes. Thus, we can go 
backward for all the known message words and recover the erased columns until 
we have to stop this procedure when we reach the unknown secret key word. 
The last unknown column which can be recovered is the column before inserting 
Mj. Now, with all those informations we can recover 4 bytes from 8 of the 
last unknown message block we encounter (the first when computing backward) , 
which is part of the secret key. The rest of the secret can be then computed 
exhaustively (at a lower cost than brute force without slide attacks) or we can 
use a triclo Indeed, we know that the initial internal state is equal to zero 
and one can accelerate the secret recovery with a meet-in-the-middle attack: we 
compute forward from the known initial internal state and we compute backward 
as we described before. 

3.3 Slide Attacks on Grindahl-256 

Applying the slide attack on Grindahl-256 is a little bit more difficult than on 
the 512 bit version, since the message block size is of 32 bit an the padding adds 
two additional blocks to the message. This makes it harder to control the message 
words and to find a slid pair. We describe the slide attack on Grindahl-256 in 
Appendix El 

4 Slide Attacks on Modified Versions of RadioGatun 

We are able to use the presented technique to attack slightly modified versions 
of RadioGatun (jj. There are two possible modifications. Either we change the 

2 If the size of the key is not too big, we don’t even require to do any exhausive search. 
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padding rule such that the last message block can also be an all zero input block. 
Or we change the message input step such that the input block enters the state 
via a replacement of the current state column. I.e.. we turn RadioGatun from 
an XOR sponge into an overwrite sponge. This modification is inspired by the 
message input step of Grindahl. 

Consider the first case. The padding rule requires the final message block 
always to be non-zero, e.g., by applying the usual 10-padding. For an application 
where the message length always happens to be a multiple of the block size, 
this padding may appear to be moot. So consider an implementation without 
padding. Now the final message block might be all-zero. This gives an easy 
way to generate slid pairs ( M, , M 3 ) of messages - just take any Mi and set 
Mj := (Mj||0) ( Mi , concatenated by an all-zero message block). In this case, 
slide attacks are straightforward. Given for example a MAC such as 

H(K 1 1 Mi) = Zl,Zf,Zf Z f and 

H{K\\Mi\\M zero \\M zero ) = Zf ,...,Zf,Zf +1 ,Zf +2 , 

where Z\ represents the r-th output stream, one can easily forge the MAC 
Zf , , Zf +1 , for the message Mi\\M zero . 

For the second case (turning RadioGatun into an overwrite sponge) , consider 
a pair of messages Mj = M}\\ ■ ■ • || Mf and Mj = Mi\\Mj +1 , with Mi being a 
prefix of Mj and Mj being one block longer. Both final blocks Mf and M ) /+1 
being non-zero are slid with a probability of 2 _pxm . It is easy to detect slid pairs 
by comparing k — 1 of the output blocks. If the pair (Mj, Mj) is slid, then we 
obtain: 

H(K\\Mi) = Zj , Zf,Zf,..., Zf and 
H(K\\Mi\\Mf +1 ) = Zf ,Zf,.. ,,Zf,Zf +1 

This shows that our slide attack can be used to distinguish some hash functions, 
e.g. sponge-based one, from a random oracle if the designer do not take care to 
avoid sliding properties of their hash functions. 

Slide-like distinguishing attacks are also applicable for other schemes, i.e. a 
modified version of PANAMA even leaves more non-trivial information of the 
internal state than our attack on modified RadioGatun. 

5 Possible Countermeasures and Conclusion 

It only takes a negligible effort to defend hash functions from against slide at- 
tacks. Hash function designers, like block cipher designers, must be aware of 
possible slide attacks and be on guard for too much self-similarity in their con- 
structions. For sponge-based hash functions, a simple patch would be to just 
add a nonzero constant just before running the blank rounds and extracting the 
hash value. Another option would be to marginally change the blank rounds. 
E.g., Grindahl could be changed such that the blank rounds use different ro- 
tation amounts (while maintaining the old rotation amounts for all the other 
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rounds). Well-chosen padding rules also help. In the case of xor sponges, a good 
padding even seems to suffice as a defense against slide attacks. 

We have studied the applicability of slide attacks for sponge functions. These 
are a classical tool for block cipher cryptanalysis, but have not been used for 
hash function cryptanalysis so far. Our results indicate that slide attacks can be 
a serious threat for sponge-based hash functions. If the hash function designer is 
aware of slide attacks, we believe that it is easy to defend against slide attacks. 
In our slide attacks on Grindahl and modified version of RadioGatun we 
demonstrated the power of these attacks. Our attacks apply for both published 
flavours of Grindahl, the 256-bit version and the 512-bit version. As far as we 
know, this is the first cryptanalytic result for the 512-bit version. 
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A A Slide Attack on Grindahl-256 

A.l Find Slid Pairs of Messages 

Building the challenge that generates a slid pair works as follows. We choose a mes- 
sage Mi = Mi 1 1 Mi || . . . ||M{ _1 ||M{, where Mj is a non complete block which will be 
padded. The MAC therefore processes the hash input 

Pad(K\\Mi) = K\ | Mi \ \ M \ \ \ . . . ||m 1 _1 ||M| + PT 10 ” ||Pi L1 ||Pi L2 , 
where Pi* 10 ” is the 10-padding to M[ and P 11 1 |P/ j2 is the two-block of the message 
length. Before building the second message, we want the condition 

0 n ^ pf 1 = Pf 2 

to always hold for Mi. Then, for each Mi we build the message M2 = M°\\Ml || 

M 2 || . . . ||M{ _1 ||Mi-|-Pi“ 10 ” ||P, where R is an incomplete block which, after 10-padding, 
is the same as Pf 1 . As Pf 1 is nonzero, such an R exists. In this case, the hash input is 

Pad(A||M 2 ) = A||Mi 0 ||Mi 1 ||...||M{- 1 ||Ml + P 1 “ 10 ”|| P + P 2 ‘ 10 ” HPf 1 ^ 2 
= A||Mi 0 ||Mi 1 ||...||Mj- 1 ||M{+P 1 “ 10 ”|| Pi L1 HPPlIPP 

This holds because of the conditions fulfilled by Pi' 1 and Pf 2 . In other words, Mi 
and M 2 only differ in an additional block at the end. Such a pair (Mi, M 2 ) is slid with 
a probability of 2 -32 . Detecting a slid pair is as simple as in the case of Grindahl- 
512. Here also the condition B = P(A) holds for a slid pair only. Ta leaves enough 
information to compute column B 4 by performing one blank round on Ta- In this 
way the output ( Ta,Tb ) of a challenge [Mi, M2) can be checked for a value of B 4 
what we will expect for a slid pair. We can further check by using other columns than 
B 4 , even if for them only a subspace of the potential solutions are determined by Ta- 
On the average, we need 2 31 pairs until we find a slid one. Thus, we need to make 
about 2 32 function calls to obtain and detect a slid pair. Figure 0 shows the backward 
computation of one blank round. 


A. 2 Recover the Internal State 

A challenge (Mi,M 2 ) which produces a slid pair (Ta- Tb) can be used to recover the 
final internal state A (corresponding to the computation of Mi) just before the final 
truncation. Since the columns A 8 to A 12 are unknown we have to recover 20 bytes. 
We can directly recover 10 bytes from A by computing Tb one blank round backward, 
exactly as when we tried to detect slid pairs: we can fully invert the MixColumns 
transformation for the eight first columns (where all the bytes are known), then it is 
also very easy to invert ShiftRows, SubBytes and AddConstant transformations. So, 
when looking at Figure 0 it is clear than the attacker can directly get 10 unknown 
bytes from A. The remaining 10 unknown bytes can be recovered in a different way. 
For each possibility among those bytes (2 81D = 2 80 possibilities), we invert all the 
blank rounds and check if the last added word (the first encountered when computing 
backward) is P\ 2 . Indeed, when inverting the real internal state A, we surely come 
to the insertion of the block P/ 2 and this can be easily detected since we know this 
message block and since the message insertion overwrite the first column of the internal 
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Fig. 4. Detecting a slide pair of messages for Grindahl-256. Cells in dark gray mark 
known bytes while cells in light gray mark unknown bytes. The inverse MixColumns 
(MC _1 ) and the inverse ShiftRows (SRT 1 ) are the only two operations which are 
important for our analysis: AddConstant and SubBytes functions leave a known (re- 
spectively unknown) bytes known respectively unknown). Therefore we prevent the 
other operations. 


state. We can continue to compute backward with the word P/' 1 even if some parts 
of the internal state at this point becomes undetermined due to the truncation when 
inserting the message words and thus we only have 2 48-32 = 2 16 possibilities. Finally, 
we can continue to the message word M[ + Pi' 10 ’ which leads to a recovery of the full 
internal state A. 


A. 3 Using Only Short Messages 

Note that the above attack required 0" ^ Pi 1 = Pi 2 , i.e., the most significant and the 
least significant word of the length field of ( K\\Mi ) must the same - and nonzero. Thus, 
the smallest possible choice for P( A = P 02 is P/' 1 = P 02 = 1, implying a message 
length (for (K\\M), i.e., including the key) of 1 + 2 32 blocks. If dealing with such long 
messages is an issue, we can modify the attack so use short messages. The modified 
attack goes as follows. 

We choose a message Mi = Mi||Ml || . . . ||M[ -1 ||Mi + P]“ 10 ” , where the final block 
M[ is incomplete. The MAC processes the hash input 

Pml{K\\M 1 ) = K\\M?\\Ml\\...\\Mt 1 \\M l 1 \\Pt 1 \\Pi 2 , 

with a length-field P/ 1 1 1 P/ j2 . Note that Pi 2 holds the 32 least significant bits, while 
Pi 1 holds the 32 most significant bits. We assume short messages, thus Pi 1 = 0". 
This time, we want the MAC to process the hash input 

Pad(K\\M 2 ) 

= K | |M? 1 1 Ml 1 1 . . . | IM*- 1 1 \M[ + Pi 10 " | iPf 1 1 \S + P 2 “ 10 " | \P2 X 1 1 P 2 “ 
«irilM 1 0 ||M 1 1 ||...||Mj- 1 ||M| +Pi“ 10 ' # |iP 1 £1 l|Pf 2 ||P 2 M ||P 2 X ' 2 , 

Thus, Mi and M 2 only differ in two additional blocks at the end. Accordingly, we 
choose 
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As Pi 2 is nonzero, an incomplete block S with S + P-2 10 = Pi 2 does exist. 

Now we define Mi and M2 as a slid-by-two pair, if, when processing the shorter 
message Mi, the first two empty rounds behave exactly the last two nonempty rounds 
when processing M2. This happens with a probability of (2 -32 ) 2 , and on the average, 
we need 2 63 pairs to find slid-by-two pair. 

A pair of messages is slid-by-two, if and only if the two corresponding states A and 
B satisfy B = P(P(A)). Detecting slid-by-two pairs from T(A) and T{B) and then 
recovering the internal state A is slightly more complicated, compared to “ordinarily” 
slid-by-one pairs, but still feasible. 


A. 4 Uncover Some Parts of the Secret Key or Forge Valid MACs 

By knowing the whole internal state A it is straightforward to invert the blank rounds. 
With this information, we can directly generate new valid MACs for messages which 
contain Mi as prefix: we just have to continue the computation of the hash function 
by ourselves. 

We can also try to invert the rounds where known message words are inserted. Some 
parts of the internal state are undetermined because of the truncation when adding 
message words. We do not known what was in the first column before erasing it with 
a message word, except for the first undetermined column which is equal to P{ j2 as 
described above. But we can guess those undetermined columns by only keeping those 
which lead to the good inserted message words in the first column. This is equal to 
what we did above to recover the final internal state. By trying all the possibles values 
the truncated column, we can continue going backward and check which one leads to 
the known correct values of the message blocks inserted a few rounds before. Some 
tries will lead to wrong message blocks inserted and can be discarded. The one leading 
to the good values have a good chance to be the real erased bytes. Thus, we can go 
backward for all the known message words and recover the erased columns until we 
have to stop this procedure when we reach the unknown secret key word. The last 
unknown column which can be recovered is the column before inserting Mf . Now, with 
all those informations we can recover 1 bytes from 4 of the last unknown message 
block we encounter (the first when computing backward), which is part of the secret 
key. The rest of the secret can be then computed exhaustively (at a lower cost than 
brute force without slide attacks) or we can use a triclfl Indeed, we know that the 
initial internal state is equal to zero and one can accelerate the secret recovery with a 
meet-in-the-middle attack: we compute forward from the known initial internal state 
and we compute backward as we described before. 


If the size of the key is not too big, we don’t 


require to do any exhausive search. 
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Abstract. Although it is well known that all basic private- key cryp- 
tographic primitives can be built from one-way functions, finding weak 
assumptions from which practical implementations of such primitives ex- 
ist remains a challenging task. Towards this goal, this paper introduces 
the notion of a constant- query weak PRF, a function with a secret key 
which is computationally indistinguishable from a truly random function 
when evaluated at a constant number s of known random inputs, where 
s can be as small as two. 

We provide iterated constructions of (arbitrary-input-length) PRFs 
from constant-query weak PRFs that even improve the efficiency of pre- 
vious constructions based on the stronger assumption of a weak PRF 
(where polynomially many evaluations are allowed) . 

One of our constructions directly provides a new mode of operation 
using a constant-query weak PRF for IND-CPA symmetric encryption 
which is essentially as efficient as conventional PRF-based counter-mode 
encryption. Furthermore, our constructions yield efficient modes of op- 
eration for keying hash functions (such as MD5 and SHA-1) to obtain 
iterated PRFs (and hence MACs) which rely solely on the assumption 
that the underlying compression function is a constant-query weak PRF, 
which is the weakest assumption ever considered in this context. 


1 Introduction 

1.1 Minimizing Assumptions: Constant- Query Weak PRFs 

Most cryptographic security proofs are reductions : Under the assumption that a 
primitive P exists, the existence of a second primitive P' is shown by means of a 
concrete construction that uses an implementation of P (usually in a black-box 
manner) to implement P' . For example, P' could be a pseudorandom function 
(PRF), i.e. a function with a secret key which is computationally indistinguish- 
able from a truly random function under arbitrary (adaptive) access. These 
functions are central primitives as they provide a direct solution to the problems 
of provably secure symmetric encryption and message authentication. 

* This research was partially supported by the Swiss National Science Foundation 
(SNF), project no. 200020-113700/1. 


162 


U. Maurer and S. Tessaro 


Ideally, one would like the underlying primitive P to be as weak as possible, as 
in practice it is more likely that an efficient and secure candidate is successfully 
designed. Also, it is a safe practice to assume that already existing cryptographic 
functions (such as block ciphers or compression functions of hash functions) only 
fulfill weaker properties than what they have been originally designed for. Some- 
times, however, reductions to weak assumptions turn out to be inefficient and 
involve large security losses (cf. 0 for a typical example), and hence design- 
ers of cryptographic systems are frequently confronted with a trade-off between 
the strength of the underlying assumption and the complexity of the resulting 
construction. 

With the aim of proposing new weak assumptions for the purpose of 
building symmetric-key primitives, this paper introduces the notion of constant- 
query weak pseudorandom functions: Informally, for some constant s, a func- 
tion F : {0, 1} K x {0, l} m — » {0, 1}" with k < s ■ n is an s-query weak PRF 
(s-WPRF) if F(K, ■) (under a secret key K) is indistinguishable from a ran- 
dom function when evaluated at s independent known random inputs Q This no- 
tion weakens significantly the regular concept of a weak pseudorandom function 
(WPRF) 0 , where indistinguishability for polynomially many random inputs 
is required. We point out that a WPRF is by itself already much weaker than 
a PRF, as it possibly exhibits several non-random properties (such as having 
weak inputs or being commutative, i.e. F(k,F(k',x)) = F(k',F(k,x))). On top 
of this, an s-WPRF allows for even more structure: For instance, any s + 1 dis- 
tinct inputs xi, . . . , x s _|_i and the corresponding outputs F(k, xi), . . . , F(k, x s+ i) 
under a secret key k may satisfy an easily verifiable relation with no impact on 
the pseudorandomness of the function. 

In this work, we address the problem of using s-WPRFs to construct PRFs. 
Since s-WPRFs imply the existence of one-way functions, a straightforward con- 
struction can be obtained using the results of 00 . However, the inefficiency 
and the security loss of the resulting reduction make this approach unsuitable 
for any practical use, even if the underlying s-WPRF is both highly efficient and 
secure. For this reason, this paper deals with the question of finding efficient 
constructions of PRFs from s-WPRFs: Surprisingly, we are able to provide con- 
structions which are more efficient than existing reductions of PRFs to WPRFs, 
while only requiring the underlying function to be an s-WPRF, for s as low as 
two. Furthermore, our constructions are iterated and can process inputs of ar- 
bitrary input length. This structure makes them well suited to be derived from 
properly keyed hash functions with very weak compression functions. 

The next two sections are devoted to discussing previous work in the contexts 
of building PRFs from WPRFs and of iterated PRFs and MACs, respectively, 
and to relating it to our results. 


The assumption that s-WPRFs exist implies the existence of one-way functions, since 
the mapping (k,r) H > F(k. r) is easily verified to be one-way as long as k < s ■ n. 
For k > s ■ n, such functions can be constructed unconditionally, e.g. using s-wise 
independent functions. (However, optimal unconditional constructions with n = s-n 
are not known for all parameters m). 
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1.2 Construction of PRFs from Weak PRFs 

The first construction of a PRF from a WPRF is due to Naor and Reingold 0, 
and a further construction was later proposed by Maurer and Sjodin jl3| - Both 
assum^l a length-preserving underlying function F : {0, 1}" x {0, 1}" — > {0, 1}" 
(which can be obtained e.g. from a block cipher) and realize a keyed function 
mapping Abit strings to n-bit strings (for a fixed input length £). 

The Naor-Reingold Construction Hat The construction NQ takes an t- 
bit input (with l being a power of two) and its secret key consists of 21 n- 
bit strings k\ t Qyki,\, . . . , ktfi, ke,i. The computation on input x = (xi , . . . , X() 
proceeds as follows: First, we define := ki, Xi for all i, = 1. , l. Then, 

for all j = log £..... I we compute y\^ := Fiy^Wy^ 1 - 1 ) f° r ali i 1 , 2- 5-1 
and finally output In other words, the elements of the key corresponding to 
the individual input bits are chosen as the values of the i leaves of a complete 
binary tree which is evaluated in a bottom-up fashion by computing the value of 
each inner vertex as F(yi,y r ), where yi and y r are the values of its children, and 
finally outputting the value of the root. Hence, one evaluation of the construction 

needs | + f H Yj = l— \ calls to the underlying function F. A more involved 

construction (which we call NR S /) by the same authors uses a key consisting 
of s n-bit values and improves the total number of calls to roughly Qlogs per 
evaluation, but only accepts i and log s to have the form 2 J + 2 for some j > 0. 
(For both constructions, other input lengths can be achieved through appropriate 
paddings.) 

The IC-Construction E3- The construction IQ takes a (k + 2n)-bit key 
consisting of three values k\ G {0, 1} K and r, r ' G {0, 1}". (The value r' can even 
be made public.) It first precomputes the values ki := F(ki-i.r') for all i = 
2, . . . ,£. Furthermore, on an Abit input x = (aq, . . . ,x£), it sets yo := r, and 
for all j = 1, computes yj := F(kj,yj- 1 ) if Xj = 1, and yj := yj-i 

else. Finally, it outputs y t. The construction IQ requires w(x) calls to F when 
evaluated on input x, where w(x) < £ is the hamming weight of x. If memory 
restrictions do not allow storage of the keys k 2 ,---,ki, their values have to be 
computed at each evaluation and thus the construction requires {l— 1) + w(x) 
calls to F per evaluation, which can be as high as 2i — 1 . 

A central remark is that in order for all the aforementioned constructions to 
be secure PRFs for adversaries issuing q queries, the underlying WPRF must 
also be secure when evaluated at q random inputs. (The concrete security bounds 
for these constructions are discussed in the full version.) Moreover, in this paper 
we will focus on iterated constructions of PRFs and MACs where candidates for 
WPRFs may arise from (keyed) compression functions of hash functions, which 
have the form F : {0, 1} K x {0, 1}" — * {0, 1} K (where e.g. k = 160 and n = 512 
for SHA-1). The above constructions can all be extended in a straightforward 

2 In fact, the construction of 0 relies on an intermediate primitive, called a synthe- 
sizer, but a WPRF F : (0, 1}" X {0, 1}" — > (0, 1}" is in fact a synthesizer. 
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wa\0 to handle such functions as well, but for the same input length l the 
number of calls would increase considerably if n > k (roughly, by a factor of [ 
with respect to the case n = k, which is e.g. 4 for SHA-1). This holds even 
if we just want /t-bit outputs. Hence, this calls for a construction for which 
the condition n > k does not have a negative impact on the efficiency of the 
construction. 

1.3 Assumptions in Iterated MACs and PRFs 

Bellare et al. 0 proposed two efficient message authentication codes called 
HMAC and NMAC, obtained by appropriately keying an iteratecfl hash func- 
tions H : {0, 1} K x {0, 1}* —* {0, 1} K (where the first input is the initialization 
value) as HMAC(fci||fc 2 , *) := H{IV,k 2 \\H(IV,k 1 \\x)) (for a fixed known IV 
and | /ci |, |fc 2 1 both equal to the block length of H) and as NMAC(/ci||fc 2 , x) := 
H(k 2 ,H{ki,x)), respectively!! (Note that HMAC only requires black-box usage 
of H.) Even though alternative designs of MACs exist (such as CBC-MAC and 
UMAC H to name a few), these constructions have enjoyed widespread usage 
due to the large availability of hash function implementations (both in hardware 
and in software). From the theoretical standpoint, security of HMAC/NMAC has 
been first proved 0] under the assumption that the compression function of H is a 
PRF (when keyed through the chaining value), and that H is weakly collision re- 
sistant, i.e. it is hard to find two distinct messages x, x' with H(K,x ) = H(K, x') 
for a secret key K (given oracle access to H(K,-)). Bellare (H subsequently 
proved HMAC/NMAC to be an arbitrary-input-length PRF under the sole as- 
sumption of the compression function being a PRF. We point out that the cas- 
cade construction by Bellare et al. 0] can also be seen as a way to key a hash 
function with a single key to obtain a PRF under the same assumption, at the 
expense of using a prefix-free encoding of the inputs. More recently, Fischlin .12] 
presented security proofs for HMAC/NMAC (when used as a MAC rather than 
as a PRF) relying on non-malleability properties of the underlying compression 
function. A further recent line of research dEEl has been concerned with in- 
creasing the efficiency of the HMAC/NMAC constructions by imposing slightly 
stronger requirements on the underlying compression function (i.e. pseudoran- 
domness under mild types of related-key attacks). 

The bottom line is that in order to deploy one of these constructions in prac- 
tice, it is relevant to assess the level of confidence one is willing to put in the given 
compression function, but in view of continuous cryptanalytic achievements this 
is far from being a simple task. This issue motivates us to take steps in the 

3 One can simply base the above constructions on the function F' : (/ci|| . . . ||fc c , r) m > 
F(fci,r - )|| . . . || F{k c ,r) (possibly chopping some bits) where c = \n/n\ (the function 
F' can be shown to be a WPRF). Note that more involved range-extension techniques 
(such as those from ^LELUfj) do not work here, as they require a length-preserving 
function beforehand. 

4 i.e. based on the Merkle-Damgard construction [Til . lill ]. cf. also Sectional 

5 Practical implementations usually consider single-keyed versions which, for simplic- 
ity, are not discussed here. 
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opposite direction: We raise the question of constructing iterated MACs (and 
PRFs) with very low requirements on the given compression function, while 
guaranteeing limited impact on the performance when compared with construc- 
tions with stronger underlying security assumptions. In particular, we consider 
constructions which only require the underlying compression function to be an s- 
WPRF (for s as small as two). 


1.4 Contributions and Outline of This Paper 

This paper initiates the study of constant-query WPRFs, and in particular in- 
vestigates the problem of constructing efficient PRFs from these primitives. 

- In Section 0 we present our first construction (called the RC-construction) 
of an arbitrary-input-length PRF from any s-WPRF F : {0, l} re x {0, 1}" — * 
{0, 1} K (for some constant s > 2). As a special case of our construction, one 
obtains a fixed-input-length PRF which, for input length £, requires 

calls to F per evaluation, hence improving on earlier constructions despite 
the weaker underlying assumption of an s-WPRF. 

— Careful instantiation of the RC-construction yields efficient counter-mode 
symmetric encryption relying on the sole assumption of an s-WPRF (for 
some s > 2), while requiring (on average) only 1 + calls to F per K-bit 
block of encrypted data and minimal storage overhead. Furthermore, the RC- 
construction directly yields constructions of efficient PRGs from s- WPRFs. 

— Section 0 presents a further construction, called the nested RC -construction, 
which improves the throughput of the RC-construction for long messages 
making a novel use of pairwise independence, while still solely relying on the 
underlying function being an s-WPRF. 

- Finally, Section 0 addresses the problem of deriving our constructions by 
keying iterated hash functions (such as SHA-1 or MD5) whose compression 
function is an s-WPRF: If minimal (and natural) regularity properties are 
additionally guaranteed by the compression function, the keying can be done 
in an entirely black-box way. Furthermore, this is the weakest assumption 
on the compression function for which modes of operations leading to secure 
PRFs and MACs have ever been considered. 

The basic tools needed in the rest of the paper are reviewed in Section 0 


2 Preliminaries 

2.1 Notational Conventions 

Throughout this paper, for a set U, we denote as U r \ U* , and U + the sets of 
sequences s = ■ ■ • ,U|«|) of elements of U of length |s| = n, of arbitrary 

length with the empty sequence e, and of arbitrary length |s| without the empty 
sequence e, respectively. (For the case U = (0, 1} we usually talk of strings.) The 
notation .s|| s' stands for the concatenation of sequences s and s', and u r is the 
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sequence u ) consisting of r repetitions of the symbol u £ U. Given a 

two-argument function F :U X V — » y we denote by F(u. •) the function V — > 
y obtained by fixing the first input to u. Finally, A°(r) denotes the (oracle) 
algorithm A which runs on input r with access to the oracle O. Algorithms are 
in general randomized, and throughout this paper we fix some RAM model of 
computation for these algorithms. In particular, an algorithm A is said to have 
running time t if the sum of its description length and the worst-case number of 
steps it takes (counting oracle queries as single steps), taken over all randomness 
values, all inputs, and all compatible oracles, is at most t. 

2.2 Cryptographic Functions 

Pseudorandom Functions (PRFs) . For some set X (generally X = {0, l} e or 
X = {0, 1}*) we consider keyed functions of the form F : {0, 1}” x {0, \} p x X — > 
{0, 1}”, where the first and the second parameters are called the public and the 
private part of the respectively. The third parameter is the input of F. We 
define the PRF advantage of D in distinguishing F from random as the quantity 

Ad v p f rf {D) := |p[£) F(if ’ fl ^(R) = j§ - p[D R *- n (R) = l] |, 

where K and R are independent and uniformly chosen from {0, 1}” and {0, 1} P , 
respectively, whereas R,u.n is a random function mapping elements of X to n-bit 
strings, i.e. an oracle which associates with each x £ X a uniformly-distributed 
independent n-bit string. (Whenever X is finite, this is equivalent to a ran- 
domly chosen function X —* {0, 1}".) For notational convenience we introduce 
the shorthand Adv RRF (f, q) to indicate the best advantage taken over all dis- 
tinguishes with running time t and making at most q queries. Informally, F is 
a PRF if Adv RRF (f. q ) is “negligible” for all t and q polynomial in some (un- 
derstood) security parameter Q We often consider the case X = {0, 1}*: Such a 
PRF is called an arbitrary-input-length PRF (AIL-PRF), and for this case we 
define Adv RRF (f, q, l) as the maximal advantage taken over all distinguishes 
with running time t making at most q queries each of length at most t. 

Message Authentication Codes (MACs). A keyed function F : {0,1} K x 
{0, 1} P X {0, 1}* — > {0, 1}" is a MAC if it is “unpredictable” under a secret key. 
Formally, for an adversary A, we define its MAC advantage as 

Adv^ AC (A) := P[A f ( k ’ r '\R) = (x,y) A F(K,R, x) =y Ax new], 

where K and R are random independent n- and p-bit strings, respectively, 
and “x new” means that x was not queried by A to the given oracle. We de- 
fine Advp AC (t, q. 1) to be the best advantage of an adversary with running time t 

6 We take this unconventional point of view as the constructions of this paper will 
allow part of the key to be publicly revealed with no harm to their security, and 
there are settings where this is a useful feature. 

7 If one considers both parts of the key as a single secret key, this implies that F is a 
PRF according to the usual definition considered in the literature. 
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issuing at most q — 1 queries to F(K. A, •), each of length at most i (and the 
message x output has also length at most £). It is a well-known fact that a secure 
AIL-PRF is also a good MAC, namely Ad Vp AC (t,q,() < Adv PRF (t', q, £) + 
where t ~ t'. 

Weak Pseudorandom Functions (WPRFs). This notion weakens a PRF 
to only withstand attacks where the function is queried on independent random 
known inputs. (Sometimes, this is called a known-plaintext attack (KPA) in the 
literature.) Formally, for some function g, we let S 9 be the oracle that returns 
an ordered pair ( r,g(r )) for a fresh random r each time it is invoked. Then, for 
a keyed function F : {0, 1} K x {0, l} m — > {0, 1}" we define the WPRF advantage 
of the distinguisher D in distinguishing F from random as 

Ad v^ prf (T>) := |P[T> 5F(K, ' ) = 1] - P[£> 5Rm,n = 1]| , 

where R m .„ is a random function mapping m-bit strings to n-bit strings and K 
is a random /t-bit secret key@ Additionally Adv^( PRF (t, q) stands for the best 
advantage taken over all distinguishers with running time t making at most q 
queries. For a constant s, we call a function F : {0, 1} K x {0, l} m — ► {0, 1}" 
with k < s ■ n an s-weak pseudorandom function (s-WPRF) if Adv™ PRF (f, s) is 
negligible for all polynomial running times t, and we simply call it a weak pseu- 
dorandom function (WPRF) if Adv^( PRF (t, q) is negligible for all polynomially 
bounded t and q. 

Cascade and Iterated Hash Functions. For F : {0, 1} K x {0, 1}" — > 
{0, 1} K , it is convenient to define its cascade F* : {0, 1}" x ({0, 1}") + — *• {0, 1} K 
as the function which, on input k G {0,1}" and (aq, . . . , x\) G ({0, 1}") + 
(with aq,...,aq G {0,1}") first computes yo ■= k and y,; = F(y.j_i , mf) for 
all i = 1, . . . , A, and subsequently outputs y\. In this work we also consider 
iterated hash functions |10, |li| H : {0, 1}* — > {0, 1} K with underlying compres- 
sion function F : {0, l} re x {0, 1}" — ► {0, 1} K (n is generally called the block 
length) and initialization value IV G {0, 1} K which are defined such that ev- 
ery input x G {0,1}* is first padded as (aq, . . . , x\) G ({0, 1}") + and subse- 
quently the value F*(IV, (aq,. . . , x\)) is output. In general, the last block x\ 
contains some padding bits as well as the length of the message (the so-called 
MD-strengthening) to preserve collision resistance of the compression function. 
Examples of such functions are those from the MD and the SHA families. 

Universal Hashing. Let H : {0, 1} K x {0, 1}* -> {0, 1}", and let S : N -► R+. 
We say that H is 8-almost universal (<S-AU) if 

p^ 0LL (a;, a/) := P[H(K, x) = H(K,x')] < <5(max{|a;|, |a/|}) 

for all distinct x, x ’ G {0, 1}*, where AT is a randomly chosen K-bit key. We stress 
that we extend the standard notion to deal with arbitrary input lengths 

8 In contrast to the definitions of PRFs and MACs, here we only consider a fully-secret 
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by letting 6 be a function of the message length. The following lemma extends 
to the arbitrary-input-length case the well-known fact that <S-AU hash functions 
can be used to extend the domain of PRFs. (We omit its proof which follows the 
lines of the fixed-input-length case.) 

Lemma 1. Let H : {0, 1} K x {0, 1}* -> {0, l} m be 8-AU, and let F : {0, 1} K x 
{0, l} p x{0, l} m — * {0, 1}" be a keyed function. Define HF : {0, l} re + K ' x{0, l} p x 
{0,1}* — > {0,1}” such that HF(k\\k',r,x ) := F(k' ,r, H(k,x)). Then we have 

Ad v£r R /(f, q, t) < Adv RRF (f', q) + \ ■ q 1 2 ■ 8(g), 

where t' = t + q-tnif), with f #-(•£) being the time needed to evaluate H on inputs 
of length at most i. 

3 The Randomized Cascade Construction 

3.1 Description and Security of the Construction 

In this section, we present the first iterated construction of this paper. It is 
reminiscent of the cascade construction of Bellare et al. 0 , but only requires the 
underlying function F : {0, 1} K X {0, 1}" — > {0, 1} K to be an s-WPRF with s> 2 
being a parameter of the construction. As in jj] , the construction relies on the 
concept of a prefix-free encoding, which we briefly introduce. 

Prefix-free Encodings. For a set X, the efficiently computable function 
ENC : X — > {1,..., s} + (i.e. outputting a non-empty sequence of elements of 
{1, . . . , s}) is a prefix-free encoding scheme if for all distinct x,x' 6 X the se- 
quence ENC(x) is not a prefix of the sequence ENC(a/). (In particular, ENC must 
be injective.) If X = {0, 1}*, a prefix-free encoding scheme is e.g. obtained by 
encoding canonically the input as a sequence in {1, . . . , s — 1}*, and then ap- 
pending the symbol s to the sequence. Other variants exist, but it is generally 
desirable that ENC operates on-line, i.e. the encoding is progressively output 
while the input bits are provided, without the need to know the entire input 
before starting the encoding process. If X = {0, 1 } e for some fixed £, then prefix- 
freeness is achieved “for free” by encoding all inputs as sequences in {1, . . . , s}* 
of equal length [~ loj f J . 

Construction. The randomized cascade construction with parameter s and 
input set X (where usually either X = {0, 1}* or X = {0, 1 } ( for a fixed £) 
for the function F and prefix-free encoding scheme ENC, denoted RCf^ ENC , 
is a mapping {0, 1} K x {0, 1} S " x X — ► {0, 1} K : It takes a key consisting of a 
K-bit private part k and an sn-bit long public part, which is interpreted as the 
concatenation of s n-bit strings r\, . . . ,r s . On input x G X, the K-bit output is 
computed through the following two steps: 

1. Compute ENC(a;) = (mi, . . . , m\) 6 {1, ... , s} + ; 

2. Output F*(k, (r mi , ... ,r mx )). 
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Fig. 1 . The construction RC^ enc 


As an example, the construction is depicted in Figure Q for the special case s = 2. 
For notational convenience, we use the shorthands RC^ enc for X = {0, 1}* (and 
omit the prefix- free encoding when it is generally understood from the context), 
as well as RCf^ for X = {0,1}^ (where the canonical encoding described above 
is used). We also generically refer to the construction as the RC-construction. 

Efficiency Comparisons. A fair comparison between the RC-construction 
and previous results can be undertaken for the fixed-input-length construc- 
tion RC S / only. In the length-preserving case (re = n), the construction RQ iS is 
comparable to (for the case s = 2) the NR- and the IC-constructions in terms 
of calls to F, and outperforms them for s > 2. Furthermore, we obtain the 
same space-time trade-off of the NR S ^-construction, but we allow for all possible 
values of s. Our construction also limits the effects of possibly very long input 
paddings in the NR- and NR-constructions. The efficiency improvement of our 
construction is however more evident in the case where n > re, as even if s = 2, 
the number of calls to F of (the extended versions of) all other constructions is 
larger at least by a factor |"^] (the factor is e.g. 4 when instantiating F with 
the compression function of SHA-1). Finally, because of the iterated structure, 
efficient sequential evaluation of RC s g requires (beside sufficient storage for the 
key material) re bits only to store the “chaining value” . 

Security. In order to give precise security bounds for the RC-construction, it is 
convenient to think of the prefix- free encoding ENC in terms of a 
(possibly infinite) directed tree T = (V, £) with vertex set V consisting of all 
sequences (mi, . . . , mj) which are a prefix of ENC(:r) for some input x (in particu- 
lar, including the encodings themselves and the empty sequence e). Furthermore, 
for each (mi, . . . , rrij) £ V there exists a directed edge to (mi, . . . , rrij , nrij + 1) for 
all mj + i e {1, . . . , s} such that (mi, . . . ,m 3 -+ 1 ) G V. Hence, it is easy to see 
that e is the root of the directed tree and its leaves are exactly the encodings of 
the inputs. We provide two examples of such trees in Figure El 

Every sequence of queries to the RC-construction defines a subtree of T con- 
sisting of the paths from the root to the encodings of the queries: For notational 
convenience, we define the shorthand L(x i, . . . , x q ), for q inputs x \, . . . , x q , to be 
the amount of inner vertices (i.e. vertices which are not leaves) of the sub-tree 
induced by the evaluations of x-i , ,x q . It is easy to verify that for RC s g we 
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have L(x i, . . . ,x q ) < 1 — — !)• Also, for the case where the inputs are 

strings with arbitrary length, we define (always with respect to the understood 
encoding) L{q,t ) := max^ ... tXq -.\ Xi \<eL(xi, . . . ,x q ). 

Consequently, one can see an interaction with the RC-construction as a process 
where the tree T = (V, £) defined by ENC is traversed and /t-bit values are 
assigned to all visited vertices: While the root e is assigned a random K-bit 
value, the value of each visited vertex (mi, . . . ,rrij) is set to F(z. r rnj ), with z 
being the value of the parent vertex (mi, . . . , m 7 _i). A query with input x is 
answered with the value at the corresponding leaf ENC (a;). By the definition 
of an s-WPRF, it is easy to see that evaluating F under some given (pseudo- 
random secret key at s independent random inputs produces s pseudorandom 
outputs @ and hence intuitively the above process sets the values of all visited 
vertices to pseudorandom values (and in particular this holds for the leaves). 
However, to formalize this intuition, we have to show that it is indeed possible 
to recycle the same values ri , . . . , r s for each invocation of F. 

The following theorem formally captures the main security statement for 
the RC-construction (for a general input set X). 

Theorem 1. Let s > 2, let X be a set, and let ENC : X — * (X, . . . , s} + be a 
prefix-free encoding scheme. Furthermore, let F : {0, 1} K x {0, 1}" — * {0, 1} K . For 
all L and all distinguishers D with running time t and with L(x\,X 2 , ■ ■ •) < L 
for all possible query sequences %t,x 2 , ■ ■ • € X, there exists a distinguisher D' = 
D'{D) such that 

Adv RC% enc ( £) ) ^ L ' [Adv^ PRF (Xy) + s 2 • 2-( n+1 )] , 

where D' makes exactly s queries and has running time t' = t+ 0(L ■ tp), with 
tF being the time needed to evaluate F. 

In Appendix E] we provide a precise description of the distinguisher D' , and refer 
the reader to the full version of this paper for the complete proof. 

We remark that the term s 2 2 - (" +1 ) is negligible, as s is assumed to be con- 
stant. Combined with the above observations on L , the theorem directly yields 
the following security bounds for the specialized variants of the RC-construction: 

Advp RF (t, q, t) < L(q, £) ■ j^Adv^ PRF (t', s) + s 2 ■ 2 _ ^" +1 ^j , 

Adv«5 ( (t, «)<[l+s(f4r|-l)]- [Advr RF «", ») + . 

with t' = t + 0{L{q,i) ■ tp) and t" = t + 0{{ 1 + q ([■£/ logs] — 1)) • If)- 

The most important observation is that all variants of the RC-construction 
require F to be only an s-WPRF. A minor positive aspect of the randomized 
cascade construction (if compared with other constructions) is the absence of 
any ^-dependent birthday-like term in the above inequalities. Furthermore, if 

9 Except in the case where two of the random inputs n, . . . ,r s collide, which happens 
with small probability only. 
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Fig. 2. Example trees associated with prefix-free encodings. Left: Encoding mapping 
inputs a, b, c, d : and e to sequences (1,1), (1,2), (2,1), (2,2,1), and (2,2,2), respec- 
tively. Right: Encoding CTRENC used for efficient counter-mode evaluation. 


we assume that F is indeed secure against q queries, the security of the RC S .^- 
construction is comparable to the one of the IQ-construction if we assume (in 
fact, very optimistically) that the best WPRF-distinguishing advantage grows 
linearly in the number of queries, i.e. Adv^ PRF (t, q) = 0(q • Adv^ PRF (f, s)). 

Larger Output Sizes. It is easy to increase the output size of the Re- 
construction (if needed) with the addition of a minor number of invocations 
of F per evaluation, which is independent of the input length: To obtain a con- 
struction RC^ : {0, 1} R x {0, 1}” S x A — + {0, 1 }^ K with output size (f> ■ k, we 
fix (f> distinct strings Oi, . . . , G X such that L(a-i , . . . , a^) is minimal. Then, 
given key with private part k and public part n, . . . , r s , on input x £ X, to com- 
pute RC (k, ri|| . . . ||r s ,x) we first compute k! := RC F (k, n|| . . . ||r s ,x) and fi- 
nally output RC F (k', r*i || . . . || r s , oi)|| . . . ||RC' F (fc / , ftt]| . . . ||r s , a^). Security of this 
construction can be inferred by the fact that evaluating it at input x accounts to 
evaluating at inputs (x, a i), . . . , (a;, a^) a variant of the RC-construction with in- 
put set X x {ai, . . . , a ( j > } and prefix-free encoding ENC'(:r, a) := ENC(x)||ENC(a). 

3.2 Efficient Encryption and PRGs from the RC-Construction 

This section addresses two important applications of the RC-construction. For 
lack of space, we omit the proofs of the technical claims (which are mostly 
corollaries of Theorem □ or are based on standard techniques). 

Symmetric Encryption from the RC-Construction. Given a PRF F : 
{0, 1}” x {0, l} m — > {0, 1}" (in practice usually realized by a block cipher) one 
obtains an efficient stateful IND- CPA0 encryption scheme for arbitrary-length 
messages by using F in so-called counter-mode , i.e. given a secret key k, we keep 
a counter ctr (initially 0), and the plaintext x (padded such that |x| is a multiple 
of n) is encrypted as [ctr,x® (F(A;,ctr)||F’(/c,ctr-(- 1)|| . . . ||F(fc, ctr + ]x|/n - 1))] 

10 Informally, a (stateful or randomized) encryption scheme (E. D) is IND-CPA se- 
cure H [[?}] if for a secret key K no polynomial-time adversary can distinguish the 
encryptions E(K,x o) and E(K,x i) for any two equally long messages xo,xi of its 
choice even if it can obtain adaptively chosen encryptions E(K , x) for arbitrary x’s. 
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(and ctr is increased by \x\/n), where integers are canonically mapped to m- 
bit strings. Note in particular that we need one call to F for each n-bit block 
of encrypted data. Variants of randomized stateless counter-mode encryption 
(where one chooses a fresh random counter at every encryption instead of keeping 
a state ) b ased on any WPRF F : {0, 1}” x {0, 1}” — > {0, l} n were presented 
hi fill . . As with a full PRF, these schemes only require one call per n-bit 
block of encrypted data, but the underlying WPRF must be secure against as 
many queries as the amount of encrypted message blocks. 

One can substantially weaken the assumption to an s-WPRF by using the Re- 
construction in stateful counter mode (with any encoding scheme). However, a 
dramatic increase of efficiency is achieved using a prefix-free encoding scheme 
CTRENC : N — > {1, . . . , s} + tailored at this mode of operation, defined as 

CTRENC(i) := l idivs - 1 ||(2 + (imods - 1)). 

The tree arising from this encoding scheme is illustrated in Figure El In particu- 
lar, it is clear that the sequence of values RC^ ctrenc (0), RC^ ctrenc ( 1), . . . can 
be computed very efficiently in an iterated way using only n + sn bits of memory 
and needing approximately 1 + calls to F per K-bit block of encrypted data. 
Furthermore, the values n , . . . , r s can be chosen publicly by one communicating 
party (provided an authenticated channel is available), hence reducing the cost 
of key establishment to the generation of the n-bit private part of the key. Se- 
curity against (adaptive) chosen-ciphertext attacks based on any s-WPRF can 
be then obtained by standard techniques appending a MAC of the ciphertext 0] 
(e.g. using any of the PRF constructions presented in this paper). 

Pseudorandom Generators from s-WPRFs. Recall that a pseudorandom 
generator (PRG) is a length-expanding function G : {0, 1} K —* {0, 1} TO such that 
G(K) is computationally indistinguishable from a random m-bit string under 
a random K. Surprisingly, constructing a good PRG from a WPRF (or an s- 
WPRF) turns out not to be a straightforward task: In contrast to PRFs, a 
WPRF F does not generally allow to find few “good” inputs x \ , . . . , x t such 
that the mapping k m > F{k,x i)|| . . . \\F(k, x t ) is a PRG. However, one can use 
this approach employing the RC-construction as the underlying PRF : For any t 
fixed inputs x\ ,Xt (t > 2) the mapping G F : {0, 1}' TO+K — *■ {0, l} sn + iK such 
that G F (ri, . . . , r s , k) equals 

n|| • • • IMIRCf (fc,n|| • ■ ■ ||n,n)|| • ■ ■ ||RCf (fc,n|| . . • \\r s ,x t ) 
is a PRG if F is an s-WPRF. (The order of the strings in the concatenation is 
irrelevant.) Note that an important advantage is that the strings n, • • • , r„ can 
be output as well. For example, given a 2- WPRF F : {0, 1}" x {0, 1}" — > {0, 1}”, 
the mapping G : {0, l} 3 " — » {0, l} 6n such that G (k, ro, n) is set to 

r 0 \\F(F(k, r 0 ), r 0 ) \\F(F(k, r„), n) || F(F(k, n), r„) \\F{F(k, n), n )||»1 (1) 

is a length-doubling PRG which requires 6 calls to F. In particular, 3 calls are 
necessary in order to input only one both halves of the output. This improves a 
construction given in [I 4 ] , which needed 3 and 4 calls, respectively. 
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An alternative approach to building a PRF from an s-WPRF F would consist 
of first constructing a length-doub ling PRG G from F, and subsequently using 
the well-known GGM-construction pjj(] to build a PRF with a K-bit key and Gbit 
inputs by outputting, on input x = (aq, . . . , aq_i , xf) G {0, 1 and key k, the 
K-bit value G Xe (G Xei (- ■ ■ G xi (k ) ■■•)), where G,;(fc) for i = 0, 1 gives the first 
and the second half of the output of G, respectively. However, it is not hard to 
see that all constructions following this approach turn out to be less efficient 
than using the RC-construction directly (e.g. using the PRG of Equation □ one 
needs 3 calls of F per input bit). 

4 The Nested Randomized Cascade Construction 

Even though the RC-construction can be practically efficient in special instan- 
tiation scenarios discussed earlier, its throughput is a major bottleneck in the 
case where the construction is used as a PRF (or a MAC) which is invoked at 
arbitrary inputs with variable lengths. Furthermore, the prefix-free encoding can 
be a limiting factor in the arbitrary-input-length case. This section presents a 
construction with better efficiency for long messages (i.e. longer than k bits) and 
with no prefix- freeness requirements. Its core ingredient is a novel use of pairwise 
independence. 

Pairwise-Independent Mappings. Recall that a mapping M : {0, 1} K x 
{0,l} m —* {0,1}" is pairwise independent if the values M(K,x) and M(K,x') 
are independent and uniformly distributed for all distinct x, x' G {0, l} m under a 
random K-bit key K. Most pairwise-independent mappings satisfy the following 
property, which will be central in our construction. 

Definition 1. A pairwise-independent mapping M : {0, 1} K x {0, l} m — > {0, 1}" 
is key programmable if there exists a (possibly randomized) algorithm SAMPLE 
which on input (x,x',y,y') (where possibly x = x', y = y') returns a uniformly 
chosen element from the set {k \ M(k,x) = y,M(k, x') = y'}. 

If M is key programmable, the following two random experiments are equivalent 
to sampling a random K-bit key K : (i) For some m-bit string x, sample Y as a 
uniform random n-bit string and K := SAMPLER, x, Y, Y)\ and (ii) For n-bit 
strings x x', sample Y. Y' as independent random n-bit strings and K ■.= 
SAMPLE(a:,a; , ,y’, Y’). Both the last two sampling strategies are used to ensure 
that M(K,x ) = Y (and possibly M(K,x') = Y') for values Y. Y' G {0,1}" 
which, although uniform and independent, are provided externally. 

We provide two examples of key-programmable pairwise-independent map- 
pings. 

Example 1. Let M be such that given k\ , k ,2 G {0, 1}" and the input x G {0, 1}", 
the output M(ki\\k 2 ,x) equals Aq® (AqQx), where © and 0 are addition and mul- 
tiplication of n-bit strings interpreted as elements of the extension field GF( 2"). 

11 We use the word mapping, rather than hash function, to stress the fact that m = n 
may also hold. 
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The unique fci ||&2 such that M(ki\\k 2 ,x) = y and M(ki\\k 2 , x') = y' (with x ^ 
x') can efficiently be found solving the corresponding system of two equalities. 
Is only a single constraint M(ki\\k 2 ,x) = y given, one chooses a random n-bit 
string k 2 and sets Aq := (/q 0 x) ® y. 

Example 2. An alternative is the mapping M' whose (nm + n)-bit key consists 
of an (to x n)-binary matrix A and of a n-dirnensional binary column vector b, 
and on input x the output is Ax + b, where x is interpreted as an m-dimensional 
column vector, and addition and multiplications are modulo 2. The function M' 
needs a larger key than M described above, but avoids finite-field multiplications. 

Construction. The main idea of the nested RC-construction (called NRC, for 
short) is to combine an iterated phase where blocks are processed at a higher rate 
(but which satisfies a property weaker than pseudorandomness) with a second 
phase where the RC s . K -construction (for fixed input length k and a parameter s) 
is invoked on the output of the first phase (with independent key material). 

More precisely, let M : {0, 1} K x {0, l} m — > {0, 1}" be a key-programmable 
pairwise-independent mapping and let F : {0, 1} K x {0, 1}" — > {0, 1} K be the 
given compression function. The construction Pl{} : {0, lj K+K ' x {0,1}* — > 
{0,1} K takes a key k\\k', where k £ {0, 1} K and k' £ {0,1} K . On input x £ 
{0,1}*, it pad0 x as (aq, . . . ,£*), where x\,...,x\ £ {0, l} m , and outputs 
F*(k,(M(k',xi),...,M(k',x x ))). 

Moreover, given the additional parameter s, we define the nested construc- 
tion NRCf^ : {0, 1} 2k + k ' x {0, 1} S " x {0, 1}* — > {0, 1} K such that 

NRC£ iS (Aq||fc 2 ||fe',n|| ■ ■ • Hr., as) := RC£ K (/q, n|| . . . f|r s , P\^(k 2 \\k' ,x)). 

It is easy to verify that in order to process a message x, the construction needs 
totally |" ^.J^ 1 j + f calls to the underlying function F. 

It is tempting to increase the throughput of the construction by choosing a 
mapping M with m much larger than n. However, all known constructions of 
pairwise-independent hash functions (in particular key-programmable ones) re- 
quire keys twice as long as the input (rather than the output), and hence such an 
approach would entail a much longer key. In fact, we believe the length-preserving 
mapping M presented above to be a viable practically efficient solution: This 
special case of the construction is depicted in Figure 01 

Security. The following theorem precisely quantifies the security of the N RC- 
construction. We give only a compact statement, as well as an overview of the 
proof. The complete proof and the concrete reduction arising from it are given 
in the full version. 


According to the canonical padding which pads a string x to have length being a 
multiple of m by appending a 1 and sufficiently many 0’s: The resulting padded 
string consists hence of |" j m-bit blocks. 
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Theorem 2. Let M : {0, 1} K x {0, l} m — > {0, 1}" be a key-programmable 
pairwise-independent mapping, and F : {0, l} re x {0, 1}" — * {0, 1} K . For all s > 2 
and for all t, q, and £ we have 

Adv NRC^ a M^) < (l + q (r^jl -l)) • (Adv^ PRF (t , ,s) + s 2 -2-( n + 1 )) 

+ \*-±±\ • q 2 • (Advr RF (t",2) + 2-") + g 2 • 2~^, 

where t! = t+ 0{q{j^ + j^) • tp) and t" = O ■ tp), with tF being the time 
needed for an evaluation of F. 

The core of the proof consists of showing that whenever F is a WPRF for two- 
query adversaries, the Pl-construction is <S-AU for a suitable function 6 to be 
computed below. In the following, given two inputs x, x' with corresponding 
padded strings (xi, . . . , x\) and (x 7 , , . . . , x' x ,) (where without loss of generality 
A < A'), let A* be maximal with the property that Xi = r x;\ , . x\* = x' x , (in 
particular, A* := 0 if ^ x\), and define the quantity A{x, x') as A+A 7 — A“ — 1 if 
(xi, . . . , x\) is not a prefix of (x 7 , . . . . . x' A , ) , and as A+ 1 otherwise. In particular, 
note that A(x, x') < A + A 7 < 2max{A, A 7 } < 2[^] if |x|, |x 7 | < L 

The following lemma provides a precise upper bound on the collision proba- 
bility of the Pl-construction in terms of the WPRF distinguishing advantage of 
a distinguisher D x x , (which in particular only depends on x and x 7 ) for F. We 
refer the reader to the full version of this paper for its proof. 

Lemma 2. For all distinct inputs x,x' £ {0, 1}*, there exists a two-query dis- 
tinguisher D x>x i such that 

p£°> L (x,x 7 ) < A(x,x') ■ (Advr RF (^)+2-”)+2-«, 
where D x>x t has running time O {A{x, x') ■ t^). 

In particular, given some £, let t" = O • tp) be the maximal running time of 
the distinguisher D XiX > taken over all x,x' with |x|, x 7 < £. We define 6(£) := 
2 • (Adv^ PRF (f",2) + 2~ n ) + 2~ K . The function Pl£ is 6-universal by 

Lemma 0 and this implies Theorem 0 using Lemma 0 and Theorem 0 
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5 Black-Box Keying of Iterated Hash Functions 

The iterated structure of the RC- and the N RC-constructions makes compression 
functions ideal candidates for instantiating the underlying s-WPRF. In general, 
however, we may be constrained to only have black-box access to an implemen- 
tation of an iterated hash function H : {0, 1}* — > {0, 1} K (cf. Section |2J) with 
direct access neither to the initialization value IV nor to the underlying com- 
pression function F : {0, 1} K x {0, 1}" — > {0, 1} K . To overcome this obstacle, 
we encode (as in HMAC) an n-bit key as the first block of the input to the 
hash function H. More precisely, given the prefix- free encoding scheme ENC : 
(0, 1}* — > (1, . . . , s}+, we consider the construction HRCf ENC which takes a key 
with private part k £ {0, 1}” and public part ri, . . . , r a £ {0,1}", and on input x 
with ENC(x) = (mi, . . . , m\) outputs the value 

HRC£ ENC (fc,ri|| ■ ■ • i\r s ,x) := H(k\\r mi \\ . . . ||r m J, 

and analogously we define HRC Sr g for inputs of fixed-length I (using the canonical 
encoding to the base s). Furthermore, with M : {0, 1} K x {0, 1}"' — > {0, 1}" being 
a key-programmable pairwise-independent mapping, we consider the construc- 
tion HNRC^ s which takes a key with private part ki, G {0, 1}", k' £ {0, l}*' 
and public parts n, . . . , r s . On input input x (padded as (aq, . . . , x\)) it outputs 

HNRC^ s (fc 1 ||fc 2 ||fc , ,r 1 ||...||r s ,x) := 

HRC^(fe,ni ■ • ■ ||r s ,H(MM(A; , ,x 1 )|| ■ • ■ \\M(k' ,x x ))). 

In order to lift the security statements of the RC- and the N RC-constructions to 
both the HRC- and HN RC-constructions, the assumption that F is an s-WPRF 
is not sufficient: First, it is necessary that the K-bit output F(IV, K ) is computa- 
tionally indistinguishable from a uniformly-distributed random string of length k 
(under a secret random K): This guarantees that the chaining value obtained 
after the first evaluation of F is pseudorandom and can be used as the “key” 
for the RC- or the Pl-construction. A further problem is due to the fact that 
we generally cannot enforce the last n-bit block processed by F to be random 
because of the padding introduced by H, and this issue should not destroy the 
pseudorandomness of the outputs. To our rescue, however, comes the fact that 
each such block is processed keying F with a fresh pseudorandom value: It is 
hence enough to additionally guarantee that for an arbitrary fixed n- bit string x 
and a random secret K-bit string K, the string F(K,x ) is computationally in- 
distinguishable from a random n-bit string. 

We stress that both these extra properties are very weak requirements: In 
fact, a good compression function should satisfy them even unconditionally. It 
is sufficient, for example, that F(IV. , •) and F(-,x) (for all x £ {0,1}") are 
all (nearly-)regular functions. (We refer the reader to 0] for a discussion on 
regularity-properties of hash functions.). With these two additional assumptions 
on the compression function F of H, the security bounds of the RC and the N Re- 
construction can be lifted to their black-box counterparts. For lack of space, we 
omit the proofs, which are very similar to the ones of the original constructions. 
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6 Conclusions and Open Problems 

We have shown that efficient arbitrary-input-length PRFs (and consequently 
MACs and encryption schemes) can be constructed under very weak assump- 
tions, i.e. weak PRFs where security holds only for a limited number of queries. 
Our results provide new insights into the property of weak pseudorandomness. 

A natural open question is whether there exist constructions of PRFs from 
WPRFs which take explicit advantage of more secure WPRFs (i.e. tolerating 
many queries) to achieve more efficient constructions than what we propose 
and what was considered in the literature (e.g. processing linearly-many bits 
per invocation even for short inputs). We conjecture, however, that this is not 
possible. A further direction arising from our work consists of finding further 
examples of cryptographic primitives where restricting adversaries in terms of 
queries leads to interesting phenomena such as those observed in this paper for 
weak pseudorandomness. 
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A Description of D' in the Proof of Theorem Q] 

We define L + 1 hybrid experiments Ho, Hi, . . . , Hl where D is given random in- 
puts n, . . . , r s and interacts which a (randomized) oracle X —> {0, 1} K that keeps track 
of all vertices of the subtree of T induced by the queries of D. In particular, it assigns 
to all internal vertices v of this subtree increasing integer values l(v) according to the 
order in which they are visited for the first time, with 1(e) := 0. Furthermore, it asso- 
ciates K-bit values z(v) with all visited vertices: Initially only z(e) is defined and set 
to a random value. In Hi an oracle query x £ X (with ENC(a:) = (mi, . . . ,m\)) 
by D is answered by looking for the highest A* such that z(mi, . . . , m\*) is de- 
fined and for all j = A* + 1, . . . , A assigning to z(m i, . . . ,mj) a fresh random value 
if l(mi, . . . ,mj- 1) < i and F(z(mi, . . . ,mj-i),r mj ) otherwise. Finally, z(mi , . . . ,m\) 
is returned to D as the oracle’s output. Clearly, Ho behaves as the experiment where 
D interacts with the RC-construction, whereas Hl answers all queries of D randomly. 

For all* = 0, . . . , L — 1 one then constructs a distinguisher D, for S F ( fc ’ J and S Rn ’* 
which first issues s queries to the given oracle, obtaining s pairs (n, yi ), . . . , (r s ,y s ) 
and subsequently simulates the interaction of D with Hi, except that z(mi , . . . , m,) is 
set to y mj whenever l(m\, . . . ,mj- 1) = i. Finally, the distinguisher D'(D) chooses a 
random * € {0, . . . , L — 1} and runs Di. 

We refer the reader to the full version for the concrete analysis of the distinguishing 
advantage of D' . 
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Abstract. In an oblivious transfer (OT) protocol, a Sender with mes- 
sages Mi , ,M n and a Receiver with indices ui , . . . , cr fc € [1, N] interact 
in such a way that at the end the Receiver obtains M ai , . . . , M ak with- 
out learning anything about the other messages and the Sender does not 
learn anything about ci , . . . , ov In an adaptive protocol, the Receiver 
may obtain M ail before deciding on a t . Efficient adaptive OT protocols 
are interesting as a building block for secure multiparty computation and 
for enabling oblivious searches on medical and patent databases. 

Historically, adaptive OT protocols were analyzed with respect to a 
“half-simulation” definition which Naor and Pinkas showed to be flawed. 
In 2007, Camenisch, Neven, and shelat, and subsequent other works, 
demonstrated efficient adaptive protocols in the full-simulation model. 
These protocols, however, all use standard rewinding techniques in their 
proofs of security and thus are not universally composable. Recently, 
Peikert, Vaikuntanathan and Waters presented universally composable 
(UC) non-adaptive OT protocols for the l-out-of-2 variant, in the static 
corruption model using certain trusted setup assumptions. However, it is 
not clear how to preserve UC security while extending these protocols to 
the adaptive fc-out-of-V setting. Further, any such attempt would seem 
to require O(N) computation per transfer for a database of size N. In 
this work, we present an efficient and UC-secure adaptive k-out-of-N 
OT protocol in the same model as Peikert et al., where after an initial 
commitment to the database, the cost of each transfer is constant. Our 
construction is secure under bilinear assumptions in the standard model. 


1 Introduction 

Oblivious transfer (OT) was introduced by Rabin El and generalized by Even, 
Goldreich and Lempel 0 and Brassard, Crepeau and Robert 0. It is a two- 
party protocol, where a Sender with messages Mi , . . . , Mjv and a Receiver with 
indices ai , . . . , cr fe G [1, N] interact in such a way that at the end the Receiver 
obtains M ai , . . . , M ak without learning anything about the other messages and 
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the Sender does not learn anything about a-i, ... Naor and Pinkas were the 
first to consider an adaptive setting, OT^ xl , where the Receiver may obtain 
before deciding on a . Efficient OT schemes are very important. OTj 
is a key building block for secure multi-party computation musia ot^ x1 
is a useful and interesting tool in its own right, enabling oblivious databases for 
applications such as medical record storage and patent searches Si- 

Developing efficient adaptive protocols appears to be a more difficult and in- 
volved process than the non-adaptive protocols. Indeed, even finding the right 
security definition has proven challenging. Historically, many OT constructions 
were analyzed under a “half-simulation” definition, where the Sender and Re- 
ceiver’s security are described by a combination of simulation and game-based 
definitions. Naor and Pinkas [23] showed that schemes analyzed under this def- 
inition may admit practical attacks on the Receiver’s privacy. To address this, 
Camenisch, Neven and shelat H and subsequently Green and Hohenberger II 
proposed efficient and fully-simulatable OT j^ x x protocols under bilinear assump- 
tions. Each of these protocols achieve the optimal total communication cost of 
0(N+k) with reasonable constants. Unfortunately, their security proofs use ad- 
versarial rewinding, and thus do not imply security under concurrent execution. 

Recently, Lindell M showed how to achieve efficient and fully-simulatable 
non-adaptive OTf under the DDH, Nth residuosity and quadratic residuosity 
assumptions, as well as the assumption that homo morp hic encryption exists. 
Simultaneously, Peikert, Vaikuntanathan and Waters [20] proposed several non- 
adaptive, but universally composable OTf protocols based on DDH, quadratic 
residuosity and lattice assumptions. While both of these works add to our col- 
lective knowledge for non-adaptive OT, they do not shed much light on how to 
achieve efficient adaptive protocols. Indeed, Lindell points out that the adaptive 
case is considerably harder [2f| . 

The general framework used in j2f| |13] (where the Receiver chooses the en- 
cryption keys) seems inherently at odds with allowing efficient adaptive schemes. 
Each transfer requires 0(N) work for the Sender, whereas this can be constant 
in our protocols. Even more alarming, it isn’t clear how (without killing the effi- 
ciency and perhaps the UC security of 0) a Sender could convince the Receiver 
that he is not changing the database values with each request. This problem of 
ensuring a consistent database gets even worse when multiple Receivers are con- 
sidered, as we do in Section El 

Our Results. In this work, we take a different approach to constructing OT 
protocols, which allows them to be simultaneously efficient, adaptive, universally 
composable and globally consistent. We summarize what is known about OT^ xl 
protocols in Figure 0 Let us describe some highlights. 

1. Universal Composability: The Universal Composability framework 0 al- 
lows for the design of concurrent and composable cryptographic protocols, 
which are important properties in any practical deployment of an oblivious 
database. Canetti and Fischlin showed that OT cannot be UC-realized with- 
out trusted setup assumptions such as the existence of a Common Reference 
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Decisional Bilinear DH (in ROM) 

UC (J~CRS -hybrid ) : 

This work 

k + 1/2 

0(N) 

SXDH + DLIN + g-Hidden LRSW 


Fig. 1. Survey of efficient, adaptive fc-out-of-lV Oblivious Transfer protocols 

String (CRS) 0- This is formally referred to as the Ecrs - hybrid model, 
and is assumed by the constructions of Peikert et al. 0 ] as well as those in 
this work. As in |2I| , we work in a static corruption model. 

2. Efficiency: Our protocol is practical. For a database of N objects, the initial- 
ization phase requires O(N) communication cost, and each transfer phase 
requires only constant cost, for reasonable constants. In contrast, simply 
repeating a OT^ scheme (such as 0 ]) k times would require O(N) com- 
munication cost for each transfer plus the additional work required for the 
Sender to convince the Receiver that he isn’t changing the database values 
dynamically. Moreover, the message space of our protocol is a group element 
(so at least 160 bits), whereas the quadratic residuosity and lattice-based 
schemes of 0 have one-bit message spaces. We note, however, that the 
DDH-based scheme of 0 allows for multiple bit messages. 

3. Model and Assumptions: We focus on protocols secure in the standard model. 
Our construction can be implemented assuming SXDH 0 , 0 - 0 , 0 , Decision 
Linear 0, and ^-Hidden LRSW (a non-interactive variant of the LRSW 
assumpti on |27ll , for which we give a generic group proof in the full version of 
this work 03] •) We note that our decisional assumptions, SXDH and Decision 
Linear, are much more simple than the g-Power Decisional Diffie-Hellman 
assumption used in the (non-UC) adaptive OT of Camenisch et al. 0 - 
In the full version, we also provide a second construction that is secure in 
symmetric groups (i.e., where SXDH does not hold) under an alternative set 
of hardness assumptions. See Figured for more. 

Intuition behind the Construction. Oblivious Transfer protocols can be 
roughly divided into two categories. Let’s restrict our attention to non-adaptive 
OTf for the moment. In approach (1), which is used by 0000 , the 
Receiver transmits a collection of specially-formed encryption keys to the Sender, 
who encrypts each message and returns the N ciphertexts to the Receiver. The 
protocol is secure provided that the encryption keys are formed such that a 
Receiver is able to decrypt at most one of the resulting ciphertexts. In approach 
(2), which is used by 000 and this work, the Sender encrypts the message 
collection under keys of her own choosing, and — in some interactive protocol 
with the Receiver — helps to decrypt one ciphertext. 

While both approaches can be used to implement adaptive OT in theory, the 
first approach requires that the Sender generate a new set of ciphertexts at each 
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transfer stage (for each receiver), requiring at least 0(N ■ k ) cost. Even worse, 
the Sender might be able to maliciously change the database between transfers 
and present different versions of the database to different receivers. 

The latter approach is much better suited for the adaptive case. A single 
database can be committed to and then each decryption can be performed in 
constant computational and communication cost, for a total 0(N + k) cost. 
This approach is taken by the fully- simulat able protocols of [H| , which both use 
rewinding in their simulations to (1) simulate proofs and (2) extract knowledgeQ 
An appealing naive approach to realizing UC-secure adaptive OT would be 
to modify the efficient standard-model protocol of Camenisch et al. 0 by sim- 
ply replacing rewinding-based proofs with the non-interactive proof techniques 
of Groth and Sahai j2J]. Unfortunately, this is non-trivial for two reasons. First, 
the Groth-Sahai techniques provide broad support for non-interactive, witness in- 
distinguishable proofs of algebraic assertions in bilinear groups, but only provide 
non-interactive, zero-knowledge proofs for a restricted class of algebraic assertions. 
Unfortunately, the proof statements required by 0 fall outside of this class, and 
it does not seem easy to rectify this problem. Secondly, the protocol of Q requires 
some form of extraction (e.g., extracting the chosen index from the adversarial 
Receiver or extracting the secret encryption keys from the adversarial Sender) for 
proofs containing elements of Z p ; unfortunately, Groth-Sahai proofs of knowledge 
are /-extractable (but not fully extractable), where only some one-way function of 
the witness, f(w), can be extracted (e.g., g w ) and not the witness w itself. Dealing 
with this limitation would necessitate substantial changes to the CNS protocol. 

Instead, our construction starts from scratch. While we follow the “assisted 
decryption” framework of the CNS protocol, we are able to do so without the 
need for strong (/-based decisional assumptions. We instead base the security of 
the ciphertexts in our scheme on the Decision Linear assumption Finally, 
since the Groth-Sahai proofs have not yet been shown to be either simulation- 
sound or UC in general, we develop techniques that permit UC simulation (even 
in the advanced case where multiple receivers interact with a single sender). 

2 Definitions 

Notation. By OT^ (resp., 0T^ xl ), we denote a non-adaptive (resp., adaptive) 
fc-out-of-iV oblivious transfer protocol. Let ~ denote computational indistin- 
guishability, as defined in H3- 

Adaptive fc-out-of-N Oblivious Transfer. 0T^ xl protocols consist of two 
phases: Initialization and Transfer. In the Initialization phase, the Sender com- 
mits to the input database Mi, . . . , Mjv- Subsequently, the Sender and Receiver 

1 Along the same lines, the half-simulation protocols of mm use a form of oblivious 
pseudorandom function evaluation (OPRF) to encrypt and obliviously decrypt the 
message database. Unfortunately, the evaluation protocols described in those works 
appear vulnerable to selective-failure attacks, and the modifications necessary to 
achieve UC security (or full simulation) seem substantial. 
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engage in up to k Transfers. During the i th Transfer, the Receiver adaptively 
selects a message index cq £ [1, N] and engages in a protocol such that it obtains 
M ai (or T if the protocol fails) and nothing else, while the Sender learns nothing 
about 0 -j. The simulation-based nature of the security definition we use ensures 
that protocol failures must occur independently of the message index cr , chosen 
by the Receiver (capturing the strong selective-failure blindness property m.) 

Universally Composable Security. As in jjjl}, we work in the standard UC 
framework with static corruptions, where all parties are modeled as p.p.t. inter- 
active Turing machines. Security of protocols is defined by comparing the proto- 
col execution to an ideal process for carrying out the desired task. More formally, 
there is an environment Z whose task is to distinguish between two worlds: ideal 
and real. In the ideal world, “dummy parties” (some of whom may be corrupted 
by the ideal adversary S ) interact with an ideal functionality T . In the real world, 
parties (some of whom may be corrupted by the real world adversar y .4 ) interact 
with each other according to some protocol n. We refer to Canetti |lJ, Rj| for a 
fuller description, as well as a definition of the ideal world ensemble IDEAL^s, .z 
and the real world ensemble EXEC^ ^.z- We use the established notion of a 
protocol 7r securely realizing an ideal functionality T as: 

Definition 1. Let T be a functionality. A protocol ir UC-realizes T if for any 
adversary A, there exists a simulator S such that for all environments Z, 

I DEAL^s, * » EXEC^z. 

Canetti and Fischlin showed that OT cannot be UC-realized without a trusted 
setup assumption . Thus, as in [03, E3], we assume the existence of an honestly- 
generated Common Reference String (crs), and work in the so-called Tcrs- hybrid 
model. The functionality is parameterized by a distribution D and a set V of re- 
cipients. For our purposes, V will include the OT Sender and Receiver only. Here 
the environment learns about the reference string from the adversary, and thus 
the simulator can set up a string with “trapdoor information” , etc. 

Figure 0 describes the Tens functionality and Figure 0 describes the 
functionality. 

We briefly mention that there are techniques for designing and analyzing 
multiple OT protocols which use a single reference string; i.e., a multi-session 
extension. One might worry that if multiple protocols now share some joint 
state, then they can no longer be analyzed separately and then composed later. 
Fortunately, this is addressed by universal composition with joint state (JUC) 0 
and could be done in our case. A second issue with sharing the reference string 
is that we make no guarantee about the security of protocols which use the 
same reference string in ways other than those specified by the OT protocol, 
and here we explicitly assume that the crs is only available to certain parties. 
This is at odds with the notion that the crs is a “global” entity, however, there 
are strong impossibility results for UC-realizing OT in a setting where the crs is 
available to everyone (including the environment) and can no longer be crafted 
by the simulator. There are models, such as the augmented CRS functionality 
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Functionality PoRS 

Upon receiving input (sid,crs) from party P, first verify that p 6 V; 
else ignore the input. If there is no value r recorded, then choose and 
record r <— D. Finally send output (sid, crs, r) to P. 


Fig. 2. Ideal functionality for the common reference string 0 


Functionality PqP 1 

Pot 1 proceeds as follows, parameterized with integers N, £ and running 
with an oblivious transfer Sender S, a receiver R and an adversary S. 

— Upon receiving a message (sid, sender, mi, . . . , miv) from S, where 
each rrii £ {0, 1}* , store (mi, . . . , mjv). 

— Upon receiving a message (sid, receiver, a) from R, check if a 
(sid, sender, ... ) message was previously received. If no such mes- 
sage was received, send nothing to R. Otherwise, send (sid, request) 
to S and receive the tuple (sid, b € {0, 1}) in response. Pass (sid, 6) 
to the adversary, and: If b = 0, send (sid, _L) to R. If b = 1, send 
(sid, m a ) to R. 


Fig. 3. Functionality for adaptive Oblivious Transfer, based on the OT ? definition 
from 0 

P ACRS HI , which overcome these impossibility results, but we do not explore 
these advanced UC issues with respect to our OT construction in this work. 

3 Preliminaries 

Bilinear Groups. Let BMsetup be an algorithm that, on input 1 K , outputs the 
parameters for a bilinear mapping as 7 = (p, Gi, G2, Gr, e, g £ Gi , g £ G2), 
where g generates Gi and g generates G2, the groups Gi,G2,Gt each have 
prime order p, and e : Gi x G2 — > G t- 

Symmetric External Diffie-Hellman Assumption (SXDH) 

Let BMsetup(l K ) — ► 7 = (p, Gi,G2,Gt, e, g, g). The SXDH assumption states 
that the Decisional Diffie-Hellman problem is hard within both Gi and G2. 
Groups where SXDH holds is one of the three settings for Groth-Sahai proofs 0. 
Decision Linear Assumption (DLIN) Let BMsetup(l re ) — » (p, Gi, G2, 
G t, e, g, g). For all p.p.t. adversaries Adv, the following probability is strictly 
less than 1/2 + l/poly(«): 

Pr[a, b,c,d£- Z p ; f <- g c ] f <- g c ] h <- g d ; h <- g d ; 

z 0 <- h a+b ; zi Gi; d <- {0,1} : Adv( 7 , g, g, /, /, h, h, g a , f b , z d ) = d\. 
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Note that this is a weaker asymmetric version of the original DLIN assumption 
of Boneh, Boyen and Shacham , which was set in symmetric groups. 

g-Hidden LRSW Assumption: Let BMsetup(l K ) — » 7 = (p, Gi, G 2 , G t, e, 
g, g). For all p.p.t. adversaries Adv, the following probability is strictly less than 
l/poly(K): 

Pr[s, t Z p \ S <— g s ,T <— Vi G [1 . . . q],Xi, yi $- Z p , &» <— g Vi , bi <— g Vi ; 

A <- Adv( 7 , S, T, {61, bl +xist , b xi , b xit ,g xi , 61}, . . . , {6 q , b x q q , b q qt , g Xq , 6 g }) : 

A = (01, a 2 , 03, a 4 , as, a 6 ) {sq, . . . ,x q } A s 6 Z£ A a x € GiA 

a 2 = A a 3 = a x A a 4 = a^* Aa 5 = g x A e(oi, 3) = e(ff, a 6 )]. 

Related formulations of the above assumption in an oracle-setting, where the 
Xi values are chosen dynamically bv Adv, are the LRSW assumption which was 
introduced by Lysyanskaya et al. j23] and the Strong LRSW assumption of Ate- 
niese et al. |jj . We eliminate the oracle and instead give q random tuples, which 
are also slightly changed. In the full version of this work JS^], we show that the 
above assumption admits a proof in Shoup’s generic group model 0- 

3.1 Groth-Sahai Proofs 

The Groth-Sahai proof system 0 permits a variety of efficient non-interactive 
proofs of the satisfiability of one or more pairing product equations. For variables 
{X}i... m £ Gi,{y}i...n G G 2 and constants G Gi,{B}i... m G G 2 ,cqj G 

Z p , and tr £ G t, these equations have the form: 

II e(Ai, W) ft e(*i, B<) f[ f[ e(X h = t T 

Groth and Sahai show how to construct Witness Indistinguishable proof-of- 
knowledge of a satisfying witness to such an equation, in prime-order groups 
where the SXDH or Decision Linear assumptions hold. The proof system they 
describe can be composed over multiple equations involving the same variables. 
They point out that in some special cases, their techniques can be stre ngth ened 
to provide Zero Knowledge. Unlike the interactive proofs used in |T(J, H 3 ] , the 
Groth-Sahai proofs do not use adversarial rewinding in their security analysis. 

Groth-Sahai Commitments m . At the core of the Groth-Sahai system is 
a homomorphic commitment scheme to elements of Gi or Gj The public pa- 
rameters for the commitment scheme can be generated in two ways. Method 
(1) leads to a perfectly-binding commitment scheme, while method (2) leads to 
a perfectly- hiding scheme. Note that the two parameter distributions are com- 
putationally indistinguishable under the SXDH assumption. When the GS com- 
mitment parameters are configured according to method (1), they are equivalent 

2 As noted in 13,0 commitment scheme can also be used to commit to elements of 
Z p , though we use this only in the context of simulating proofs. 
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to an Elgamal encryption of a group element, and can be decrypted by a party 
that knows a trapdoor to the commitment parameters. When commitments are 
configured according to method ( 2 ), a “simulation” trapdoor can be used on 
random commitments to open them to any value g x (or g x ) for known x. 

The Proof System. We now describe the proof system at a high level, adopting 
some notation and exposition from 0 ] . For this description we will conceal many 
of the underlying details, though the reader can refer to BEl for a more detailed 
explanation. The proof system contains the following (possibly probabilistic) 
polynomial time algorithms: 

GSSetup(7). On input 7 € BMsetup(l K ), outputs a string GS containing pa- 
rameters for the proof system. This string embeds binding parameters for 
the G-S commitment scheme. 

GS Prove (GS,S, W). On input a statement S describing the equation, and a 
satisfying witness W £ {V}i...n)> outputs a proof n. To formu- 

late this proof, a commitment Gj is generated for each element in W. The 
proof embeds openings to the commitments in such a way that a prover can 
ascertain that S is verifiably satisfied, and yet the elements of W remain 
hidden. 

GSVerify(GS', it). Verifies the proof tt (using the commitments and opening val- 
ues) and outputs Accept if -k is valid, Reject otherwise. (For compactness 
of notation, we will specify that tt embeds the statement S). 

Above we describe the proof system in normal operation. In our security proofs 
we will additionally use: 

GSExtractSetupfy). Outputs GS (distributed identically to the output of 
GSSetup(7)) and an extraction trapdoor td ext containing a trapdoor for the 
commitment scheme. This trapdoor permits an extraction of a valid witness 
from the commitments embedded within a proof. 

GS Extract ((AS, td ex t, 7 r). Given a proof n and the extraction trapdoor, extracts 
Xi or y t from each commitment C\, and outputs the witness W = 

{V}i..jv) that satisfies the equations. 

GSSimulateSetupfy). Outputs parameters GS' that are computationally indis- 
tinguishable from the output of GSSetup(7), as well as a simulation trapdoor 
td s im which consists of a simulation trapdoor for the commitment scheme. 

GSSimProve(GS", td s i m , S). Given simulation parameters GS' and trapdoor 
td s im, outputs a proof n of statement S that such that GS Verify (GS", n) = 
Accept. Note that this algorithm operates on certain restricted classes of 
statements (see below). 

GS proofs can be defined over multiple pairing product equations. In this case, 
satisfiability implies knowledge of a witness for the full set of equations. In our 
constructions, we will denote a GS proof statement using the notation of Ca- 
menisch and Stadler m . For instance, NIWIgs{(ui, 0,2) : e(a\, a2)e(g, h x ) 

1 A e{a2,g%)e{d2 1 , 013) = 1 } represents a non-interactive Witness Indistinguish- 
able proof of knowledge, formed under parameters GS, of a witness W = (ai, (12) 
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that simultaneously satisfies both listed equations. All values not in enclosed 
within the initial ()’s are assumed to be known to the verifier. 

Witness Indistinguishability and Zero Knowledge. In general, Groth- 
Sahai proofs satisfy a strong definition of Witness Indistinguishability in groups 
where the SXDH assumption holds (complete security definitions can be found 
in the full version of this work 0). However, for certain restricted classes of 
statements, the proof system can also be used to construct non-interactive Zero 
Knowledge (NIZK) proofs. For certain trivial statements, this is simply a matter 
of using a WI proof for which a witness can easily be found. E.g., in the special 
case where tr = 1 for a pairing product equation, a simulator can always com- 
pute a satisfying witness by selecting each X, or W to be g° or g° respectively. 

More practically, Groth and Sahai observe that some non-trivial statements 
can be proven in Zero Knowledge by applying the simulation trapdoor for the 
Groth-Sahai commitment scheme. This trapdoor allows the simulator to open a 
random commitment to any g x or g x (for known x), and can be applied such 
that the same commitment is opened differently for each equation within the 
statement. In some cases, we may need to re-write a statement in order to 
construct a ZK proof. For example, consider a proof of the statement e(a, d) = 
e(g, h ) made on variable a and constants d, g, h. By adding a second variable b 
and a further equation, we obtain an equivalent statement which can be proven 
using the following zero knowledge proof: 

NIZK GS {(a,b) : e(a,d)e(b,h~ 1 ) = 1 A e(b, g)e(g~ 1 , g) = 1} 

Note that the equivalence holds by the property that b = g is the only valid 
solution to the revised equation. However, using the simulation trapdoor we can 
open the appropriate commitments such that a = b = g° in the first equation, 
while in the second equation b = g. We will use similar techniques to simulate 
the Zero-Knowledge proofs in our constructions. 

3.2 Additional Tools 

Modified CL Signatures. Our constructions use a variant of the Camenisch- 
Lysanskyaya signature scheme j§], altered to operate on messages in Gi. Whereas 
CL signatures rely on the interactive LRSW assumption to achieve security 
against adaptive chosen-message attacks, in the context of our construction we 
will require only a non-interactive g-Hidden LRSW assumption to achieve a 
weaker property (unforgeability given a set of signatures on random messages). 

CLKeyGen(7, g, g). On input 7 = (p, Gi,G2,Gt,c, . . .) and generators (g,g), 
select s,t <— Z p and set S <— g s ,T <— g*. Output vk = (7 ,g,g,S,T), and 
sk = (vk, s,t ). 

CLSign sfc (m). On input a message m G Gi, select w <— TL P and output the 
signature sig = (g w ,m w , g ws m wst ,m wt ,g w ) G Gf x G2. 

CLVerify„ fc (sig, to). On input the value m G Gi and sig = (01,02,03,04,0,5), 
verify that e(g,ad) = e(a\,g) A e(m,a 5) = e(a2 ,g) A e(a2 ,T) = e(a4,g) A 
e ( a 3, g) = e(ai 04 , S). 
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Note that the verification algorithm can be represented as a set of pairing product 
equations, and thus it is possible to prove knowledge of a pair (m, sig) using the 
GS proof system. To prove knowledge of m, sig, first select y Z p , compute 
sig 7 = (a'j , a 2 , a' 3 , a' 4 . a' 5 ) = (a\, a 2 , af, a 3 ) and release the pair o! x , af 5 along 
with the following witness indistinguishable proof: 

TT = NIWlGs{(m,a' 2 ,a , 3 ,a' 4 ) : 

e(m, a' 5 )e(a' 2 , g- 1 ) = 1 A e(a2,T)e(a4, g~ x ) = 1 A e{a' 3 ,g)e{a'^~ 1 , S) = e{a' l , 5)} 
The verifier checks both the proof and the fact that e(a\,g) = e(g,a' 5 ). 

Selective- message Secure Boneh-Boyen Signatures. Our constructions 
also make use of a weak signature scheme built from the Boneh-Boyen selective- 
ID IBE scheme 0 (§4). 

BBKeyGen(7, gi,gi). On input 7 = (p, Gi,G2,GT,e, . . .) and bases (<?i,<?i), 
select a, z Z p , g <- g[ /a , g <- g\ /a , g 2 <- g z , g 2 <- g z ,h^~ Gi. Output 
vk = (7, g, 9 ,gi, 52, h, g 2 ), and sk = ( vk,g% ). 

BBSign sfc (m). On input a message m £ Gi, select r <— Z p and output the 
signature sig = ((mh) r g 2 , g r , g r ) £ Gf X G2. 

BBVerify„j.(sig, m). On input m£ Gi and sig = (si,S2,S3), verify that 
e(si,ff) / e(mh, s 2 ) = e(gi,g 2 ) and e(g,s 2 ) = e(s 3 ,g). 

We can prove knowledge of a pair (m,sig) as follows. Select y Z p and set 
sig' = (sfy §' 2 , S3) = (si(mh) y , s 2 g v , s 3 g y ). Output s' 2 ,s ' 3 and the WI proof: 

7T= NIWI G s{(m,s i) : e(s[,g)e(m,s^ 1 ) = e(h,s 2 )e{gi 1 g 2 )} 

The verifier checks the proof and the fact that e(g, s' 2 ) = e(s' 3 . g). 

Double- Trap door BBS Encryption. Our OT constructions employ an en- 
cryption scheme with a “double-trapdoor” (so that both the simulator in charge 
of the crs and the sender in charge of the pk can extract the messages of the 
ciphertext.) It is crucial that the holder of either secret key can verify the consis- 
tency of the ciphertext with respect to the other secret key (i.e., that decryption 
using the other key would reveal the same plaintext.) We use a variant of Boneh- 
Boyen-Shacham encryption 0 , which has a public consistency check. 

Let BMsetup(l re ) — > 7 = (p,<&i,G 2 ,GT,e,g,g). Publish global parameters 
7 ,h,h such that e(g,h) = e(g,h), and for i £ [1,2] select ski <— €r %p) 

and pk i = (uj,Uj,Mj,fy) <— (/i 1//xi , To encrypt a message m £ 

Gi under pk 1 /pk 2 , first select random values r,s £ Z p and output the ciphertext 
(u‘[,Vi,u 2 ,v 2 ,h r+s m). To decrypt a message (ci,...,cs) under ski = {xi,yi), 
output C5/(c“ 1 ■ Cg 1 ) . To decrypt under sk 2 = (x 2 ,y 2 ), output c$/{c 3 2 -c| 2 ). Note 
that the structure of a ciphertext can be verified using the bilinear map, by 
checking that e(ci, U2) = e(c 3 ,ui) A e(c 2 ,v 2 ) = e(ci, fy) In the full version [2j| 
we show that scheme above is semantically-secure under the DLIN assumption. 
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Protocol OTA 

OTA is parameterized by the algorithms (OTGenCRS, OTInitialize, 
OTRequest, OTRespond, OTComplete). 

When S is activated with (sid, sender, {Mi, . . ., Mn e {0, 1}^)): 

1. S queries Tcrs with (sid,S,R) and receives (sid, crs). R then 
queries Fcrs with (sid,S,R) and receives (sid, crs) 0 

2. S computes (T, sk) <— OTInitialize(crs, Mi , . . . , Mn), sends (sid, T) 
to R and stores (sid, T, sk). 

When R is activated with (sid, receiver, er), and R has previously re- 
ceived (sid,T) and (sid,crs): 

1. R runs ( Q,Q pr iv ) <— OTRequest(crs, T. a), sends (sid. Q) to S and 
stores (sid, Q pr iv). 

2. S gets (sid, Q) from R, runs R <— OTRespond(crs, T, sk, Q), and 
sends (sid, R) to R. 

3. R receives (sid, 7?) from S, and outputs 
(sid, OTComplete(crs, T, R, Q priv )). 

a cits computes computes crs <— OTGenCRS (IT). 


Fig. 4. A high-level outline of the OT^ xl protocol, with details of each algorithm 
described in Sectional We make no explicit mention of the value k, the total transfers 
permitted by the Sender, because our protocol does not depend on it. The Sender may 
choose to stop answering the Receiver’s queries at any point, in which case OTRespond 
outputs “reject” and OTComplete accepts this as the message _L. 

4 A UC-Secure Adaptive OT Construction 

Our adaptive oblivious transfer protocol, OT) v xl follows the framework described 
in Figure 0 We now describe one instantiation of the algorithms (OTGenCRS, 
OTInitialize, OTRequest, OTRespond, OTComplete). In the full version Q, we 
provide a second instantiation, under different assumptions. 

OTGenCRS(l K ). Given security parameter n, generate parameters for a bilin- 
ear mapping 7 = (p, Gi,G 2 ,Gx,e,g,g) «— BMsetup(l K ). Compute GSs <— 
GSSetup(7) and GSr <— GSSetup(7). Choose a,b,c <— Z p , and set (gq, g%, 
h, gi, h, h) <- {g a ,g b ,g c ,g a ,g b jJF)- Output crs = (7, GSs, GS R , g x , g 2 , h, 
gi, 92, h). (In the full version | 23 | . we describe how this common reference 
string can be replaced by a common random string.) 

OTInitialize(crs,mi, . . . ,mjv). This algorithm is executed by the Sender. On 
input a collection of N messages and the crs, it outputs a commitment to 
the database, T, for publication to the Receiver, as well as a Sender secret 
key, sk. We treat messages as elements of Gi, since there exist efficient 
mappings between strings in { 0 , 1 }* and elements in Gi (e.g., 0 , 0 ). 

1 . Parse crs to obtain GSs, 9i,92,h,gi,g2,h and 7. 

2 . Choose random values x\, x 2 € Z p . 
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3. Set (ui, 112) <— (h 1 ^ 1 , h 1 /* 2 ), (mi,m 2 ) <— (h 1 ^ 1 , h 1 ^ 2 ). 

4. Set ( vk\,sk \ ) <— CLKeyGen(7, mi,mi), ( vk2,sk2 ) <— CLKeyGen(7, M2, M2) 
and ( vk3,sk3 ) *— BBKeyGen(7, mi, mi). 

5. Set pk <— (ui,U2,ui,U2,vki,vk2, vk 3 ). 

6. For j = 1, . . . , N encrypt each message rrij as: 

(a) Select random r,s,t £ Z p . 

(b) Compute sig x <— CLSign sfci (ui), sig 2 <— CLSign sfc2 (u 2 ), and sig 3 <— 
BB Sign sfc3 (M>|). 

(c) Set Cj <- (u\, u 2 , g\, g mj ■ h r+s , sig 1; sig 2 , sig 3 ). 

7. Set T <— (pk, Ci , ... , Cjv) and sk <— (a;i,a;2). Output (T, sk). 

Each ciphertext Cj above can be thought of as a signcryption where it is 
the randomness for each ciphertext that is signed, rather than the plaintext 
itself. Each plaintext nrij is encrypted under S’s public key ui,U2, as well as a 
“key” gi,g2 drawn from crs. This “double-trapdoor” encryption is necessary 
for the security proof of the OT scheme. 

To verify the format of each ciphertext Cj = (ci, . . . , C5, sig l5 sig 2 , sig 3 ) 
in T, anyone can check that CLVerify ufci (d, sigj, CLVerify„ fc2 (c2,sig 2 ), and 
BBVerify^ 3 (ciC2, sig 3 ) each succeed, and that e(ci, <71) =e(c3, Mi)Ae(c2, <72) = 
e(c 4 ,M 2 )- 

OTRequest(crs, T, a). This algorithm is executed by a Receiver. On input T 
generated by the Sender, along with an item index a, generates a query Q 
for transmission to the Sender. 

1. Parse T as (pk, Ci, , Cm), and ensure that it is correctly formed (see 
above). If T is not correctly formed, abort the protocol. (This is only 
necessary on the first transfer.) 

2. Parse crs to obtain (GSr, h ), and parse pk as (mi,M2,mi, M2, vki, vk2, vk 3 ). 
Parse the & th ciphertext C a as (c%, . . . , C5, sig 1; sig 2 , sig 3 ). 

3. Select random V\,V2 € Z p . 

4. Set d\ f— (ci • m" 1 ), d2 <— (02 • m 2 2 ), ti f— h vi , <2 h V2 . 

5. Use the Groth-Sahai techniques and reference string GSr to compute 
a Witness Indistinguishable proof n that the values d\ , d-2 pertaining to 
the ciphertext C a (which the Receiver wishes to have the Sender help 
him open) have the correct structure: 

7T = NIWIas R {( c i, c 2,ti, f 2 , sig l5 sig 2 , sig 3 ) : 

e(ci, h)e(ti, Mi) = e(di, h) A e(c2, h)e(t2, M2) = e(d2, h) A 
CLVerify^jfyi.sig!) = 1 A CL.Verify„ fc2 (c 2 ,sig 2 ) = 1 A 

BBVerify„ fc3 (cic 2 ,sig 3 ) = 1} 

6. Set request Q <— (d\ , d 2 , tt), and private state Q pr i V (Q,a,vi,v 2). 

Output (Q, Qpriv) ■ 

To explain what is happening in the statement of step ©, first observe 
that the signature proofs of knowledge ensure that the values ci, C2 and the 
product (C1C2) each correspond to a valid signature held by the Receiver. The 
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remaining equations ensure that the values d \ , correspond to “blinded” 
versions of the elements ci, C2. These checks guarantee that the witness used 
by the Receiver, and thus the decryption request being made, corresponds 
to one of the N ciphertexts published by the Sender. 

OTRespond(crs,T, sk, Q). This algorithm is executed by the Sender. If the 
Sender does not wish to answer any more requests for the Receiver, then 
the Sender outputs the message “reject”. Otherwise, the Sender processes 
the Receiver’s request Q as: 

1. Parse crs to obtain ( GSr , g, h), and parse T as ( pk , C%, . . . , Cfy), and sk 
as {x\,x%)- 

2. Parse pk (from T) as (ui,U2,ui,U2,vki,vk2,vks). 

3. Parse Q as (jM , d-2, n) and verify proof tt using GSr. Abort if check fails. 

4. Set a r ^ d ^ , ct2 ^ d 2 , and s < Gq ■ a 2. 

5. Use the Groth-Sahai techniques and reference string GSs to formulate a 
zero-knowledge proofU that the decryption value s is properly computed: 

S = NIZKgssK 0 - 1,^2) : e(ai,ui)e(di * 1 ,h) = 1 

A e(a,2,U2)e(d2 1 , h) = 1 A e(aqa2, h)e(s~ 1 , h) = 1} 

The third equation ensures that s = a\ ■ 0,2, while the first two, since the 
values (ui,di,U2, d2,h) are known to both parties, ensure that ai = dfy 
and d2 = df 2 - 

6. Output R <— ( s, 6 ). 

OTComplete(crs, T, R, Q pr i v ). This algorithm is executed by the Receiver. On 
input R generated by the Sender in response to a request Q, along with 
state Qpriv , outputs a message m or _L. If R is the message “reject”, then 
the Receiver outputs _L. Otherwise, the Receiver does: 

1. Parse crs to obtain ( GSs,h ). Parse T as (pk,Ci, . . . ,Cn), R as (s,6), 
and Qpriv as (<5, cr, ^i, ^2)- 

2. Verify proof 6 using GSs- If verification fails, output _L. 

3. Parse C a to obtain the first five elements (ci, . . . ,05) and output m = 
C5/(s • h~ Vl ■ h~ V2 ). Map this element to a value in {0, l} e [3j. 

4.1 Efficiency Analysis 

When the protocol in Figure 0] is implemented using the algorithms described 
above, we obtain a (fc+l/2)-round protocol with communications cost 0 (N+k), 
where k < N. More concretely, the crs is comprised of 7 elements in Gi and 7 
elements of G2, the Sender’s public key contains 5 elements in Gi and 6 elements 
in G2. Each of the N ciphertexts in T requires 15 elements in Gi and 3 elements 
in G2. Moreover, each item transfer involves transmission of 68 elements of Gi 

3 We present a simplified version of this proof above. However, to permit simulation, we 
must add a third variable S3 = h and re-write the proof as N I Z Kcss{( a i - ^2, S3) : 
e(ai,ui)e(d^ 1 ,a,3 ) = 1 A e(a2, ibjetefy 1 , S3) = 1 A e(ma2, a3)e(s _1 , S3) = 

1 A e(iti, S3) = e(ui, h)j. See the full version for details. 
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and 38 elements of G 2 from Receiver to Sender, and then 20 elements of Gi 
and 18 elements of G 2 from Sender to Receiver. The message space of our OT 
protocol is elements in Gi, which will be sufficient for transferring a symmetric 
encryption key to unlock a file of arbitrary size. 

4.2 Security Analysis 

Theorem 1. Instantiated with the above algorithms, OTA securely realizes the 
functionality Fq^' 1 in the Fcrs - hybrid model under the SXDH, DLIN, and q- 
Hidden LRSW assumptions. 

Due to space considerations, we provide only a sketch of Theorem 0 below (the 
complete proof can be found in the full version of this work H). When either 
the Sender or the Receiver is corrupted, we wish to describe a simulator <S such 
that it can interact with the ideal functionality Fq^ 1 (which we’ll denote simply 
as IF) and the environment Z appropriately; i.e., IDEAL^s^ « EXECota.az- 

Simulating the case where only S is corrupted. We first consider the case 
where the real-world adversary A corrupts the Sender, and thus S must interact 
with F as the ideal Sender and with (an internal copy of) A as a real-world 
Receiver. Here S does the following: 

1. Ask A to begin an OT protocol, and set the crs for these two parties by 
running 7 = (p, Gi, G 2 , Gt, e, g G <&i,g G G 2 ) <— BMsetup(lT), GSs <— 
GSSetup( 7 ), GSr <— GSSetup( 7 ), selecting random elements oi,a 2 G Z p , 
and setting g°‘ = g'j 2 = h (and a corresponding relationship for gi,g 2 ,h). 
Set crs = {'),GSs,GSR,g\,g 2 ,h,gi,g 2 ,h). When the parties query Fens-, 
return (sid,crs). 

2. Obtain the database commitment T from A. Verify that T is well-formed, 
abort if not. Otherwise, Vi G [1, N] use ai ,02 to decrypt each ciphertext 
Ci = (ci, . . . , C 5 , . . . ) as mi = C 5 / (c ^ 1 c^ 2 ). Map each element ra* G Gi to a 
string in {0, 1}^ Q| . Send (sid, S, mi, . . . , mjy) to F. 

3. Upon receiving (sid, request) from F , return OT Requesters, T, 1) to A. This 
response includes two random values di , cfe and a non-interactive witness 
indistinguishable proof 7 r with respect to GSr G crs that d\ , d .2 are “blinded” 
values corresponding to ciphertext C\. This proof can be performed honestly 
and without rewinding. 

4. If A issues a “reject” message or responds with anything other than a value 
in Gi and a valid NIZK proof, then S tells F to fail the request by sending 
message (sid, 0). Otherwise, S sends the message (sid , 1) to F. 

The indistinguishability argument here follows from the indistinguishability 
of the crs (which is identically distributed to a real crs), the perfect extrac- 
tion of the messages in step (2)0 and the Witness Indistinguishability of the 

4 Note that a ciphertext that passes the validity check can be represented as C = 
(u[, U2,gl, gi, h r+s m , . . . ) for some r,s€ Z p , and when (gi,g2, h) have the relation- 
ship described above, decryption using 01, <22 always produces m. 
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GS proof 7r issued during each request phase, which guarantees that A (the 
corrupt Sender) cannot distinguish a request to decrypt Ci from a request to 
decrypt any other valid ciphertext. Thus, S can adequately mimic its response 
pattern. 

Simulating the case where only R is corrupted. Next, we consider the 
case where the real world adversary A corrupts the Receiver, and thus S must 
interact with T as the ideal Receiver and with (and internal copy of) A as 
real-world Receiver. This case requires that the q = N for the q-Hidden LRSW 
assumption. Here S does the following: 

1 . Ask A to begin an OT protocol, and set the crs for these two parties by run- 
ning 7= (p,Gi,G 2 ,&r,e, g e Gi,g e G 2 ) *— BMsetup(l K ), ( GSs,td s im ) 
GSSimulateSetup(7) and ( GS R ,td e xt ) GSExtractSetup(7). Select random 
elements for g 1 ,g 2 ,h,g 1 ,g 2 ,h. Set crs <- {'y,GS s ,GS R ,g 1 ,g 2 ,h,g 1 ,g 2 ,h). 
When the parties query Tcrs, return (sid,crs). 

2. S must commit to a database of messages for A without knowing the mes- 
sages mi, . . . , mjv- Thus, S simply commits to random junk messages, and 
sends the corresponding T to A. 

3. When A makes a transfer request, <S uses td ext to extract the witness W cor- 
responding to ,4’s decryption request from the NIWI proof. (This extraction 
is done via opening perfectly-binding commitments which are included in 
the WI proof and does not require any rewinding.) This witness includes the 
first two elements ( 01 , 02 ) of the ciphertext that A is requesting to decrypt, 
and from these it is possible to determine the index o' of the ciphertext that 
A has requested to open. 

4. S now sends (sid,R, o') to T to obtain the real nn a ' message. 

5. Finally, S returns a response to A which opens C a i to rri a i and then uses 
td s im to simulate an NIZK proof that this opening is correct. The NIZK 
proof here is designed in such a way that simulation is always possible and 
no rewinding is necessary. 

The indistinguishability argument here follows from the indistinguishability 
of the crs (from a real crs), the indistinguishability of the “fake” database T, 
the ability to extract witnesses from the NIWI proofs, and the zero-knowledge 
property of “fake” NIZK proofs. In particular, note that the N -Hidden LRSW as- 
sumption ensures that any decryption request made by the receiver corresponds 
to a valid ciphertext from the database T (if A produces a proof n embedding 
invalid ciphertext values, we can use A to solve N- Hidden LRSW or the co-CDH 
problem jjj], which is implied by N- Hidden LR,SW)% Unlike the protocol of [l.Q] 

5 Note that we are using both an existentially unforgeable signature scheme, as well 
as a selective-ID IBE scheme that has been “retasked” as signature scheme. The 
latter leads to a signature that is only secure for a polynomial-sized, fixed message 
space. In the full version, we show that this limitation is acceptable given that we 
axe signing the product of other messages which have been signed using the stronger 
signature scheme. Since there are at most a polynomial number of such products, 
the construction is secure. 
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we are able to base the semantic security of the ciphertexts on a standard de- 
cisional assumption (the Decision Linear assumption). This is possible because 
the full ciphertext can be constructed using only the DLIN input (see the note 
on Ciphertext security below). Notice that S is never both simulating and ex- 
tracting via the same (subsection of the) common reference string; indeed, we 
do not require that the proofs be simulation-sound. 

Simulating the remaining cases. When both the Receiver and Sender are 
corrupted, S knows the inputs to S and R and can simulate a protocol execution 
by generating the real messages exchanged between the two parties. In the case 
where neither party is corrupted, then: when S receives messages of the form 
(sid,6i) indicating that transfers have occurred, S generates a simulated tran- 
script between the honest S and R. In this case, S runs the protocol as specified, 
using as S’s input a random database (mi, . . . , mjv), and (for each transfer), R’s 
input a' = 1. If in the i th transfer 6, = 0 then S’s responds with an invalid R 
(the empty string). Else, S returns a valid response as in the protocol. 

Ciphertext security. We briefly elaborate on the security of the ciphertexts in 
our scheme. To prove security when Receiver is corrupted, we must show that a 
ciphertext vector encrypting random messages is indistinguishable from a vector 
encrypting the real message database. We argue that this is the case under the 
Decision Linear assumption. Let D = (g,g, /, f,h,h,g a , f b ,Zd) be a candidate 
Decision Linear tuple. We consider a simulation that behaves as follows: 

1. Set «i = g,U 2 = /, Mi = g,U 2 = /. Select random t/i,y 2 € Z p , and set 
gi = Mj 1 , f/-2 = m| 2 (and similarly for g\ , g^)- Fix crs <— (7, G S' s , GS' R , gi, 
52, h, <71, <72, h). 

2. Generate (vki, ski), (vk 2 , sfc 2 ), (ffcs, 5%) as i n normal operation. Set pk = 
(Ml, «2, Ml, M2, vki,vk 2 , vk%). 

3. For * = 1 to N, choose fresh random s,ti,t 2 e and set ci = g as g stl ,C 2 = 
f bs f st 2 . Set Ci-. 

Ci = (ci,c 2 ,cf , c| 2 , ^/i s(tl+i2) 77T,y , sig 1; sig 2 , sig 3 ) 

where sig l5 sig 2 , sig 3 are generated normally using the proper secret keys. 

4. Set T <— (pk, Ci , . . . , Cn). 

5. The simulation answers requests from the malicious Receiver by extracting 
from its proof and simulating correct responses (as described above.) 

Note that in the above, if za = h a+b , then the above simulation perfectly encrypts 
(mi, . . . , tojv)- However, when z,i is a random element of Gi, then the ciphertexts 
correspond to encryptions of random elements in Gi. Now, suppose for the sake 
of contradiction, that there exists an environment Z who can distinguish case 
one from case two with non-negligible probability e. Then, it is easy to see that 
we can use Z to decide Decision Linear. 
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5 On Multiple Receivers 

OT is traditionally described as a two-party protocol between a Sender and Re- 
ceiver. We presented our main construction in this setting. However, since we 
are motivated by the application of OT to database systems, we would also like 
to support applications where multiple users share a single database. Naively 
this can be accomplished by requiring the database to run separate OT proto- 
col instances with each user. However, this approach can be quite inefficient, 
and moreover does not ensure consistency in the database viewed by individ- 
ual Receivers. Consider a strengthening of the security definition of .Fq/? 1 (in 
Figure EJ) to include the additional requirement that all Receivers “view” the 
same database, i.e., the database owner cannot selectively alter the messages in 
the database when interacting with different receivers - on query o from any 
receiver, he must return a value in {m CT ,_ L}. In the full version of this work [2j] 
we discuss extensions to our protocol designed to achieve this property. 
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Abstract. Numerous methods have been proposed to conduct crypto- 
graphically secure elections. Most of these protocols focus on 1-out-of-n 
voting schemes. Few protocols have been devised for preferential voting 
systems, in which voters provide a list of rankings of the candidates, and 
many of those treat ballots as if they were ballots in a 1-out-of-n voting 
scheme. We propose a linked-list-based scheme that provides improved 
privacy over current schemes, hiding voter preferences that should not 
be revealed. For large lists of candidates we achieve improved asymptotic 
performance. 

Keywords: Electronic Voting, Secure Computation. 

1 Introduction 

Electronic voting is b y fa r the most mature area of secure computation, with 
a vast literature (c.f. jl3|). Most electronic voting protocols may be viewed as 
attempts to emulate the following physical metaphor: Voters cast ballots into a 
large box, at the conclusion of which the box is shaken and opened. 

Much work has gone into efficiently and securely approximating this physical 
paradigm. However, this type of balloting represents merely one way of specifying 
and aggregating preferences. Numerous ways of aggregating preferences have 
been proposed, and indeed, are used in major political elections. We consider 
one such system, known as instant runoff voting. 

I. 1 Instant Runoff Voting 

Ballots in a single transferable vote (STV) system are submitted as a list of 
ordinal preferences. The voters’ first choices are counted, and any candidate 
receiving a certain quota of votes is declared a winner. One such example is the 
Hare-Clark quota, used in Australian elections: 

number of eligible votes ^ 
number of open seats + 1 
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Votes in excess of the quota are proportionally “returned” to the voters, and 
applied to the next viable choice on their list. If not enough candidates reach 
their quota in this fashion, the candidate with the fewest number of votes is 
eliminated, and the process continues until all of the open seats are filled. 

Although Arrow’s theorem guarantees that there will be some cases for which 
Hare-Clark voting induces some pathology, it is attractive in practice for its ability 
to avoid “wasted” votes. One has comparatively less incentive (though some still 
exists) for strategically not supporting ones favorite candidate because the candi- 
date is either assured to win or very likely to lose. Beyond its aesthetic appeal, the 
fact that it is in actual use for an important election motivates our attention. 

We focus on the special case of Hare-Clark in which there is one open seat, 
and thus a candidate needs to win a majority of the votes in order to win the 
election. This is a special case known as Instant Runoff Voting (IRV), which is 
used in certain local jurisdictions in the United States, including elections in San 
Francisco 0 and Cambridge, Massachusetts 0 . In this scheme, if a candidate 
has a majority of votes, then he is elected. Otherwise, the candidate with the 
fewest votes is eliminated; counters look at the next choices of each ballot that 
had a vote for the recent loser. We note that for this special case, there is no need 
to redistribute excess winning votes; however, it remains necessary to eliminate 
candidates and redistribute these votes. 

1.2 Difficulties with the Physical Paradigm 

In simple voting an ideal physical ballot box with paper ballots is the “gold stan- 
dard” against which electronic protocols are judged; indeed, there have been per- 
haps over-nostalgic calls for its use in practice. However, with instant runoff voting, 
merely severing the identification between voters and their preference list gives in- 
sufficient privacy. Particularly in the case where there is a large number of candi- 
dates, a full preference order may conceivably be used to identify a voter and thus 
leak information far beyond that revealed by the final vote counts, with obvious 
implications for privacy and coercibility. We note that this problem is not specific 
to a protocol implementation, but to the nature of what is to be revealed. 

As a result, in actual physical elections, one has the choice of either revealing 
extra information or placing a great deal of trust in the discretion and trustwor- 
thiness of the election officials. 

The secure multi-party computation paradigm B0 is arguably a superior 
gold standard than any physical ballot box. One endeavors to simulate trusted 
election officials, who compute the correct results, but then only reveal that 
which is supposed to be revealed. 

Thus, an intriguing aspect of this type of voting is that a cryptographic pro- 
tocol may potentially offer a solution that is qualitatively superior to current 
best practices. 

1.3 Related Work 

Electronic voting has been a modelproblem of secure multi-party computation 
since it was proposed by Chaum Q. Many protocols have been proposed for 
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single-vote, first-past-the-post-style elections, leveraging homomorphic encryp- 
tion or mix-network technologies; see, for example, [2.T3.H FI. HU. E3. Eil I53. Efl] 1 . 

Without leaving the realm of simple elections, variations are possible in the 
security and privacy guarantees of the voting protocol. For example, receipt- 
free and incoercible voting schemes aim to prevent voter intimidation and vote 
selling by preventing the voter from being able to prove how they voted; see, for 
example, jj, 120, l2dl|- One may view this property as a closer approximation to 
the physical paradigm, in which the voter cannot prove which ballot is theirs. It 
should be noted that incoercibility does not follow from the generic multi-party 
solutions (though incoercibility can be generalized to this setting 0 ). 

Hevia and Kiwi 0 consider the problem of revealing the winner of the elec- 
tion, but keeping secret the vote tally. As with the problem we consider, the 
“ideal” physical implementation of voting does not guarantee as strong privacy 
conditions. 

The techniques of “standard” electronic voting also yield solutions to simple 
preference voting, in which a voter may cast either zero or one votes for each 
candidate. For example, one can implement a fc-candidate preference voting elec- 
tion by k simple 2-candidate elections in which the ith election is used to count 
votes for the ith candidate. 

Protocols for preferential voting schemes, such as IRV, adopt a similar ap- 
proach. Aditya et al. consider elections for the Australian Senate and House 
of Representatives 0]. They examine the efficiency of balloting using a naive 
balloting representation and straight mix-network and homomorphic encryption 
schemes. For an election with k candidates, their scheme using homomorphic 
encryptions requires posting a ballot of size 0(k\) bits. Their basic mix-network 
based scheme requires a voter to post a number between 1 and k\, corresponding 
to each set of preferences. In their most efficient scheme, they leverage Australia’s 
voting machine structure, and adapt it to the vector-ballot approach introduced 
by Kiayias and Yung 0 to handle elections with write-in ballots. Each vote is 
a 3-vector. The first position contains a homomorphically-encrypted vote, cor- 
responding to one of twenty preset choices. The other two positions are used 
to represent “write-in” votes (in which voters list their preferences rather than 
choosing from a preset list). The write-in votes are submitted in blocks with 
some preset preferential votes to a shrink-and-mix network, while blocks with 
no write-in votes are tabulated. 

1.4 Our Contribution 

We contribute a new protocol for instant runoff voting that has superior asymp- 
totic performance when there are a large number of candidates and superior 
privacy guarantees. 

The protocols of Aditya et al. may be applied to the case we consider, as it 
is a special case of their own. We thus compare our protocol to this solution, 
noting that the comparison is somewhat unfair due to their greater generality. 

Although the work required of the voter in the protocol of (jj was small in 
other respects, the message length scales super-exponentially in the number of 
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candidates. In our solution, the work per ballot construction is roughly quadratic 
in the number of candidates. 

An arguably more important improvement is in our privacy guarantees. The 
protocol of 0 essentially attempts to mirror the privacy properties of existing 
systems. Thus, it is acceptable in their framework to reveal individual preference 
lists once the direct linkage with voters has been eliminated. Hence, this protocol 
necessarily suffers from the weaknesses of the physical solution with respect to 
privacy and coercion. 

In our protocol, we first reveal the counts of the first-choice preferences each 
candidate obtained. Whenever a candidate is eliminated and their votes recast 
(using the next viable preference on the preference list), the new counts are also 
revealed. However, only these intermediate results are revealed. 

One could, of course, strive for even stronger privacy guarantees, such as 
revealing only the winner(s), or only revealing the order of elimination. One 
might argue that our protocol necessarily reveals statistics, such as the second- 
choice preference statistics of those voters whose first choice candidate is the 
first to be eliminated. 

However, revealing such intermediate counts seems to be reasonable and in- 
deed often necessary from a procedural point of view. For most elections, the 
electorate wishes to know the final counts, not merely the winner. It would likely 
be considered unreasonable to declare that a candidate is eliminated without 
giving the actual vote count that was the basis of their elimination. 

Furthermore, one can imagine using our protocols on a precinct by precinct 
basis, with intermediate counts reported to a conventional voting authority that 
decides who next to eliminate. Such regional counts can be useful in detecting 
vote fraud. Thus, it may be essential that the tallies from each round be re- 
vealed, and that elimination decisions can be made externally and in principle 
independently of a the results within an individual precinct. 

1.5 Techniques Used 

We make original use of standard electronic voting techniques, particularly the 
use of re-encryption mix networks (c.f. 0 ) andgroup cryptography (c.f. M) 
and efficient proofs on committed values (c.f. @|). On a very high level, vot- 
ers generate linked lists of encrypted votes that specify their preferences. The 
encryptions are done with respect to a key that is held in aggregate by the elec- 
tion committee, who can decrypt elements using group cryptography. The head 
of the list corresponds to the highest ranked viable candidate. By using group 
decryption to decrypt these heads, the first round vote counts may be computed. 

When a candidate is eliminated, we must efficiently search out the next el- 
ement in the list. However, we must be very careful about leaking extraneous 
information. For example, it cannot be revealed what was the original ranking 
of the current head of a list. Nor can we reveal for any list the history of which 
elements are moved to the head (or we will reveal the list). For this reason, we 
keep all but the (current) head elements in a separate table of elements that is 
constantly remixed. This separation complicates the problem of finding the next 
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element of a list. We use a system of random ID tags to allow us to use group 
decryption to find the next elements in the set. 

An important technical problem we must deal with is that it would reveal too 
much to follow a link from an eliminated top-choice vote only to find another elim- 
inated candidate. We must therefore perform surgery on our linked fists, deleting 
eliminated candidates from interiors of fists so we will never arrive at them. 

To perform all of these fist manipulations, we use three mix networks in dif- 
ferent ways. Pieces of the ballots are proved consistent before being distributed 
among the mix networks. The consistency proofs are done using standard proofs 
of equality on committed values. We use standard witness-hiding techniques 
and heuristically replace the honest- verifiers with hash function using Gennaro’s 
variant 0 of the Fiat-Shamir heuristic 0 (designed to avoid vote duplication 
attacks). 

Summarizing, we present a scheme that uses a linked-list structure to represent 
a ballot, treats all ballots equally using three mix-networks, and also improves 
privacy by hiding preferences. 

Road Map: In Section |3 we present the basic cryptographic elements of the 
protocol: mix-networks, group decryption, and plaintext equality proofs. We 
discuss the ballot design and voting procedure in Section 01 We briefly discuss 
efficiency and security in Section 0] We discuss other possible research directions 
in Section 0 

2 Preliminaries 

We use a number of basic cryptographic primitives, which we review for self- 
containment of the exposition. 

Re-encryption Mix-Networks: Mix-networks (or mixnets), which are used 
to create communication channels that are difficult to trace, consist of a series 
of servers that take a series of texts M -\ ..... M n and output a permutation 
7 t(Mi), . . . , ir(M n ) of these texts. In re-encryption mixnets, each mix server takes 
in a series of encrypted messages and applies a re-randomization to each cipher 
text. In the case of an El Gamal cipher text this re-encryption corresponds 
to a selecting a random group element and applying a small number of group 
operations. Neff 0 describes a protocol for the shuffling of sequences of El 
Gamal pairs. We use a variant of Neff’s protocol in which blocks of encryptions 
are mixed - the block are re-encrypted in random order, but the (plaintext) 
values within each block are preserved in their original order. 

Secret Sharing and Group Decryption: We proceed with secret sharing 
as in H . To generate a private El Gamal key to distribute to counters, we use 
the (t, n) threshold protocol of Shamir 0 Namely, for the secret exponent s, 
we announce shares si, . . . s n for the counters, such that for any set P of t shares, 
we can recover the secret. 

Using group cryptography, the authorities can simulate a single entity that 
alone has access to the decryption key. Decryptions of encrypted values by the 
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group is comparatively straightforward and efficient. In our analysis, we will 
treat such decryptions as basic operations. 

Plaintext Equality Proofs and proofs of knowledge: Given El Gamal 
encryptions of Mi and M 2 , (ai,/?i) = ( g r ,M\h r ) and (a 2 , fat) = (g s ,M 2 h s ), we 
can execute an efficient plaintext equality proof protocol, that proves that M\ 
and M 2 are the same. Also, given an encryption of M and a known value of r, we 
must be able to produce (with proof) an encryption of M' = M + r. For most 
homomorphic encryption systems, one can compute the encryption of M + r 
from an encryption of M. 

It is also crucial that we can perform a proofs of knowledge of encrypted 
values (i.e., proofs in which the prover sends an honest verifier a message, the 
honest verifier sends a random challenge to the prover, and the prover sends a 
reply). In practice, we “compress” such proofs using Gennaro’s variant of the 
Fiat-Shamir heuristic in which the verifier’s challenge is computed as a hash of 
the first message and the prover’s identity (so as to avoid replaying other player’s 
proofs). This heuristic results in a single message “certificate” that the player 
knows the values being committed to. We heuristically analyze our protocol as 
if the actual proofs were invoked. 

The use of proofs of knowledge is crucial to both the correctness and privacy 
of our protocol. Intuitively, proving knowledge of a committed value prevents 
malleability attacks in which one commits to values that one doesn’t know, but 
which are somehow related to other committed values. 

3 Voting Scheme 

3.1 Preliminary Setup 

The protocol uses three mix networks. The pool of first place votes is sent to 
mix network 1, subsequent choices of each voter are sent to mix network 2, 
and elimination links are sent to mix network 3. At the start of each election, 
the authorities announce the public key used for all encryptions. Shares of the 
corresponding private key are distributed to the counters using the secret-sharing 
scheme described in the previous section. 

We also assume the existence of a public “bulletin board” that is used as a 
staging area for the mix networks. As we describe below, the encrypted values 
sent through the mix networks are subject to various constraints that must be 
verified. The encrypted values and their consistency proofs are posted to the 
bulletin board and checked before being routed through the mix networks. 


3.2 Counter Initialization 

The voting authorities collectively set up an El Gamal based public-key group en- 
cryption scheme. The public key is made public and is used for the re-encryption 
mixer. The private key is held in a distributed fashion by the group. 
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3.3 Ballot Design: Constructing the Linked List 

On a high level, a ballot is composed of a set of preference elements, each of 
which consists of preference data and additional keys used to link the preference 
element. In the following discussion, i will denote the preference in the list. We 
will have multiple elimination rounds, index by j, each requiring separate links. 

To establish a link, each preference element has a set of incoming keys (thought 
of as a large random number) iiqj, used to establish a connection with the 
preceding element in the list, and a set of outgoing keys, out used to establish 
links with following elements. To establish that Xi> follows x t in the linked list 
we set outjj = inj/j. We similarly set up random tags lose^j that will aid in the 
removal of Xi if it corresponds to a candidate being eliminated. 

For an election with k candidates, a (proper) voter does the following to 
construct a ballot (see Figure Cl in the appendix): 

1. Determine the order of preferences, x%,. . . ,x where each X{ is a name (or 
number) representing each candidate. 

2. For i = 1, . . . , k + 1 and j = 1, . . . , k 

— Select the keys in,; i7 - for i = 1, . . . , k + 1 and j = \ .... ,k independently 
at random (in fact, we require a further step, to ensure that keys are 
distinct; see Section Eli). • 

— If i ^ k+ 1, let outjj = irij+ij. This operation creates the links between 
choices. 

— Otherwise, select oufy+ij independently at random. This operation ends 
the list at the terminal choice. 

— Select the keys lose,;,, independently at random. 

3. Post (xi . irii.j , outij, loseij), encryptions of (aq , inij, outi.,), for j = 1, . . . , k 
to mix network 1. 

4. For i = 2, . . . , k + 1 and j = 1, . . . , k, post the tuple (x t . iny . oufy , lose,;j ) 
to mix network 2. 

5. For i = 1, ...,& + 1 and j = 1 post the tuple (afylosejj) to mix 

network 3. 

To complete the ballot, the voter posts plaintext equality proofs Hal m ade non- 
interactive by Gennaro’s modification to the Fiat-Shamir heuristic jjjJ] to verify 
that the linked list is composed properly, namely that in,; + i j = out,, ? . To verify 
that the removal links point to the proper candidate to be removed, the voter 
must also prove that Xi and lose,;.., are equal across mix networks. Similarly, 
the voter posts proofs of knowledge of the encrypted values. All such proofs are 
posted to the public bulletin board, and may be verified by all interested parties. 
Remark. For our analysis, it is useful to enforce other constraints on the ballot. 
For example, there is no real point in having a duplicated a name on ones list, 
and we may optionally wish to restrict the names to a specific list of candidates. 
The former may be accomplished using proofs of inequality. The latter may be 
accomplished used standard mix-net proofs - one writes down a list of encrypted 
names and proves that it is a permutation of the allowed list. 
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Figure 0 shows an example of each component: a portion of a vote and a 
removal tag, for an election with 3 candidates. A concrete example and diagram 
showing a full voter’s posting are included in the next subsection. 



Enc(c, : ) 






lose,,, 



Fig. 1. A visualization of the components of a voter’s ballot. A choice posted to mix 
networks 1 or 2 is on the left. A removal tag posted to mix network 3 is on the right. 
See figure 0 in the appendix, for an example of a complete ballot posted by a voter. 


3.4 An Example 

Consider an election with three candidates: A. Smith, B. Jones, and C. Johnson, 
in which a voter wants to post a vote of (Johnson, Smith, Jones) in that order. 
His ballot will be constructed as follows (we give a graphical example of a three 
candidate ballot in Figure 0 ): 

ay, C. Johnson 

— Encrypt ay. 

- For j = 1, 2, 3 

• Select in-i ; independently (indeed, select all keys in.j at random). 

• Set outij = ir^j after in^.y has been selected. 

• Select loseiy independently. 

— Encrypt iniy, outyy, and loseyy. 

— Create copies of ay and losei.y by re-randomizing the encryption. As a 
tuple, these copies are the removal tag that gets posted to mix network 

3. _ 

— Post the tuple (ay , inyy , outyy , loseyy) to mix network 1. 

ay, A. Smith and ay, B. Jones 

— Proceed as with ay. Compute the tuples (ay, iiy.y, outs.y, loses.,) and 
(a, 3 , ilia ,- , out 3 y , loses.,) as above. 

- Post those tuples to mix network 2. 

- Post the (re-encrypted) removal tags (ay,lose 2 ,y) and (ay, loses, y) to mix 
network 3. 

ay, the terminal choice 

— Encrypt ay. 

- For j =1,2,3 
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• Select iii4 i? randomly and encrypt. 

• Select outzij randomly and encrypt. 

• Select lose4j randomly and encrypt. 

— Post (£1, in.i.j. out,ij. lose.i.j) to mix network 2. 

In order to prove that a vote is valid, the voter must prove the following using 

plaintext equality proofs: 

— Given in^- and outi.j, show that inag = outij (i.e., that iii^.j and outij 
encrypt the same value) 

— Given in-yj and out-i.,, show that 1%,.} = out 2,,. 

— Given and out. 3.,, show that hnyj = out 3.,. 

Similarly, show that 

— X\ in network 1 = X\ in network 3. 

— Xi in network 2 = x t in network 3 (for i > 1). 

— loseij- in network 1 = loseij in network 3. 

— lose^j in network 2 = lose,., in network 3 (for i > 1). 

3.5 Counting and Elimination 

Counting: After polls close, counters begin tallying votes: 

1 . The counters verify the posted proofs of plaintext equality, and accept those 
votes whose proofs pass. 

2. The mix networks shuffle the pools of votes. The removal tags are mixed in 
round 1 only. 

3. The counters leave the output of mix network 2, the voters’ subsequent 
choices, encrypted. 

4. The counters decrypt the first slots, representing the choice of candidate, of 
the first-place votes (from mix network 1) and of the removal tags. 

5. Counters discard terminal choices or votes for eliminated candidates that 
show up in the primary vote pool. 

6. Actual counting is trivial. The counters read the decrypted names of the 
first-place votes. A candidate is declared the winner if he has enough votes. 
Otherwise, a candidate is eliminated. 

Elimination: When a candidate L is eliminated, the counters act accordingly: 

1 . They announce the candidate L to be eliminated in round r, and locate the 

removal tags corresponding to L in mix network 3. Recall that this network 
contains pairs consisting of encrypted names and encrypted lose values. The 
counters can collectively decrypt all of the names, and then for all entries 
corresponding to L, decrypt the corresponding lose values. These values may 
then be efficiently matched to their corresponding entries in mix net 2, as 
discussed below. 

2. For each choice c in the pools of votes, the counters decrypt lose Cir and in c r . 
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3. For each removal tag, the counters decrypt lose and search for lose/ j/r in 
the pools of votes. 

4. When a matching lose key is found, the counters check that the choice slot 
encrypts L, to ensure that they are eliminating the proper vote. 

5. Link forwarding is now performed; see Figure E3 The counters decrypt out£. r 
and search for an incoming key in CiT .. The counters use a plaintext equality 
test to ensure that the correct link is being followed. 

6. The counters set in CjJ = in lj, for j = r, , k. This redirects the links from 
the eliminated choice to a choice that is still competing in the election. 

7. If a vote for L was in the primary choice pool, the counters promote the 
choice found by following the link. 

8. At the end of round r, the counters discard in CiT ., out c/r , and lose CiT . are 
discarded for each candidate c. All keys corresponding to round r are now 
discarded, and counters will use keys corresponding to round r + 1 for the 
next elimination. 

9. Counters remix the votes using mix networks 1 and 2. 

Remark. Eliminating a candidate and forwarding links illustrates the need for 
a terminal choice. If a voter’s last choice is eliminated, the previous choice will 
now link to the terminal choice, instead of having hanging links. The terminal 
choice serves as an “anchor” that will always be among the pool of candidates. 

3.6 Ensuring Distinctness and Unrelatedness of Keys 

Recall that a link is created by generating a random tag that appears in multiple 
places in the mix net. The correctness of the protocol requires that the tags 
be distinct and the privacy of the protocol depends on the the inability of an 



Fig. 2. A sample ballot for an election with three candidates 


(b) Counters decrypt out*.,/ a 



Fig. 3. An example of link forwarding. Encrypted items are in gray, decrypted items 
are in white, and discarded items are in black. 

adversarial coalition to create nontrivial relations between their tags and those 
of good voters. 

The latter problem is implicitly dealt with in the full privacy analysis, and 
follows from the fact that all of the tags come with proofs of knowledge (here 
we assume the idealized version of the protocol, where the proofs of knowledge 
are carried out). The values of the tags chosen by the adversarial players must 
be decided upon, and known to the adversarial players (via the extractor for 
the proof), given only the encryptions of these tags and zero-knowledge proofs 
based on these encryptions. If any nontrivial polynomial-time relation R held 
(with probability greater than chance) between the values chosen by the good 
voters and the values known to the adversaries, this could be used to obtain a 
distinguisher that breaks the underlying probabilistic encryption scheme. 

However, nothing stops colluding voters (or even a single voter) from making 
two tags equal when they should not be. We solve this problem by using a 
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standard coin-flipping in the well protocol. The interactive form of this protocol 
is as follows: 

1. The tag creator generates a random tag T , and encrypts it, generating C. 

2. A randomizer generates a random r. 

3. The tag creator generates an encryption C' of T' = T + r. Note that for 
most homomorphic encryption systems, C' can be generated from C and r. 

In this ideal interactive scenario, the value of T' is random. Following Gennaro, 
we heuristically choose r as a hash of C, the identity of the tag creator, and a 
representation of the “place” of this tag in the protocol as a whole (we simply 
ask that this representation never appear twice in the same election). 

Of course, if a tag is prescribed to be equal to an earlier generated value, we 
simply create the commitment with this earlier value (and prove equality). 

It can be shown that if T and C are chosen correctly (a random value and a 
random encryption) , then the distribution of T' is indistinguishable from random. 
This is not true if T is chosen adversarially. However, by a standard argument, T' 
cannot be chosen to collide with any other tag value, except with negligible prob- 
ability, if one replaces the hash function with a random oracle. We heuristically 
assume the same holds true for a suitable cryptographic hash function. 

We note that the tags are homomorphically encrypted for use in the mix-net; 
one can achieve greater efficiency (at some loss of clarity) by putting a randomiza- 
tion step in at this point. Even further efficiency can be obtained by limiting the 
range of r, say to 192 bits even if the range of the tags is much larger. 

4 Analysis 

4.1 The Framework and Limits of Our Analysis 

Aside from the analysis of efficiency, we cannot formally analyze our protocol in 
its recommended usage, which makes use of variants of the Fiat-Shamir heuristic. 
We instead, following a long tradition, analyze the “idealized” protocol, in which 
the parties engage in true proofs of knowledge and coin-flipping protocols with 
a trusted external party. 

We also assume that while some of the counters may be corrupt, sufficiently 
many are honest so that the mix-net and group decryption protocols are secure 
and serially composable. 

We also assume that the (essentially external) decisions as to which candidate 
is eliminated in any phase are independent of the “internals” of the protocol (i.e., 
based on the encrypted , though they may of course depend on the tallies of who 
has how many votes. We note that any sensible decision procedure will not look 
any deeper than the precincts vote sub-totals. This limitation may be relaxed, 
particularly if k is small - essentially giving the adversary full choice over the 
elimination sequence requires a k\ increase in the computational hardness of 
breaking the probabilistic encryptions and subverting the mix- net, coin-flipping 
and group decryption protocols Q 

1 We suspect that with some care, the k\ factor may be reduced to k 0<1 \ However, a 

slightly more intricate analysis is required. 
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Thus, we view and analyze our protocol, and the attacks on it, as follows. 

1. The voters, both good and malicious, prepare their encrypted lists, and per- 
form the requisite proofs and coin-flipping protocols with an honest party. 
The malicious voters may see the encryptions generated by the good voters, 
and the transcripts of these protocols, but must engage in the proofs and 
coin flipping protocols anew (this is why we use Gennaro’s trick to prevent 
the reuse of the Fiat-Shamir proofs). It is in the creation of these encrypted 
ballots that we allow the adversary the most freedom of operation. 

2. For each phase of the counting process, the counters engage in various secure 
computations (mix net operations and group decryptions) on the encrypted 
values. As we assume that the adversary is unable to corrupt these protocols 
(sufficiently), we assume that 

- The operations proceed correctly. 

— The adversary is able to see the inputs and output of these operations, 
but not the actual operation of the protocol. 

These two assumptions are justified based on the correctness and simulata- 
bility of the underlying sub-protocols. Given the inputs and outputs, anyone 
can simulate the set of messages comprising the execution of the secure 
computation. 

After some of these secure computations, tallies of votes for each surviving can- 
didate are generated. We call these tallies ideal snapshots. We call the output of 
the secure computations protocol snapshots. 

Thus, we can view the attack on the protocol as comprising the (mis)generation 
of ballots followed by the observation of a series of protocol snapshots. We compare 
such an attack with an ideal attack, which works as follows: 

1. The voters, adversarial or not, create ordered lists of candidates. 

2. Initially, or after a candidate has been eliminated, the tallies of current first 
choice votes for candidate are revealed, corresponding to the ideal snapshot 
defined above. 

To analyze correctness, we observe that our protocol (at least in its idealized 
form) ensures that the ballots correspond to well-defined lists of candidates, and 
that the resulting “ideal snapshots” are what they should be given given this list. 
To analyze privacy, we go on to show that given the information that may be 
extracted from the adversarial voters and the ideal snapshots, one may generate 
simulated protocol snapshots that are computationally indistinguishable from 
the actual protocol snapshots. 

4.2 Efficiency 

In a correct vote, each choice consists of a name slot and O(k) keys. The com- 
plete construction of the linked list requires 0(k 2 ) key values. Because El Gamal 
encryption and the plaintext equality proof take a constant number of exponen- 
tiations, a quadratic number of exponentiations is needed to cast a vote. Each 
ballot will also require 0(k 2 ) encryptions. The centers must perform shuffles 
on 0(nk 2 ) encrypted values per elimination round. Group decryptions must be 
performed on 0(nk) encrypted values per elimination round. 
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4.3 Correctness 

To show that this protocol is correct, we show that accepted ballots correspond 
to independent, well-formed lists of names, and that the protocol performs the 
correct operations on these lists. 

Lemma 0 summarizes the result of the zero-knowledge proofs of knowledge 
and coin-flipping protocols. 

Lemma 1. Suppose we have a collection of submitted ballots that have passed 
the zero-knowledge proofs of knowledge given in the Section \S. A Then, assum- 
ing that all the ballot creators run in probabilistic polynomial time and that the 
probabilistic encryptions are secure, the following will hold almost always: 

1. All accepted ballots can be mapped to a well-formed list of names and well 
formed tag values; all such values may be extracted from the entity submitting 
the ballot (and hence performing the proofs of knowledge). 

2. All tag values that are specified by the protocol to be equal will be equal; any 
two tag values that are not specified to be equal will not be equal. 

One important consequence of the proofs of knowledge is that vote duplication 
or other forms of mauling are impossible. Suppose that the good voters have vote 
lists {!/} and generate the (essentially) random tags {t} used for the linked lists. 
We consider two types of adversary. The ideal model adversary, A , chooses vote 
lists {L} and tags {t'}, without seeing {L} and {t}. The real model adversary, A* 
sees a transcript consisting of the actual ballots generated by the good voters, and 
is allowed to generate ballots for itself. However, it must perform the specified 
proofs of equality and knowledge on these ballots; let {L*} and {t*} be the lists 
and tags obtained by the extractor for these proofs (by Lemma [IJ these lists are 
well defined with all but negligible probability). Lemma El asserts that A* cannot 
use its extra information to any better effect than A' . 

Lemma 2. For any probabilistic polynomial time adversary, A*, there is a prob- 
abilistic polynomial time adversary A' such that ({ L }, {t}, {I/}, {£'}) is compu- 
tationally indistinguishable from ({L}, {t}, {L*}, {t*}). 

Proof. (Sketch) We use a standard hybrid argument. Given A*, we create a hy- 
brid adversary, A\, that runs A* given the encryptions, but with simulated proofs 
instead of actual proofs. The output of this adversary must be computationally 
indistinguishable from that of A* , or we have a violation of the zero-knowledge 
property. We define A' as the adversary that generates random encrypted val- 
ues and runs A\. The output of A must be computationally indistinguishable 
from that of A\, or there would be a violation of the semantic security of the 
encryption. 

We pause to reflect on the meaning of Lemma [Q and Lemma El for the types of 
attacks that can be staged during the ballot reconstruction phase. The adversary 
must create ballots that correspond to well formed lists and tags, such that the 
set of tags have no spurious duplications. The lists and tag values had might as 
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well be chosen independently of the honest voters. In short, the adversary acts 
no differently than an adversary that chooses its lists and tags and engages in 
the protocol. 

It remains to consider the remainder of the protocol. Recall, we assume that 
the adversary is assumed not to be able to corrupt enough counters to interfere 
with the mix-net and group decryption operations. 

We observe that the details of the ballots (other than the fact that they 
are valid) are essentially irrelevant to the rest of the protocol. The proofs are 
essentially dropped once they are verified, leaving only the choice of encryptions. 
Recall that a re-encrypting mix-net replaces the encryption of some value x with 
a random encryption of x. Thus, the precise encryptions chosen by the adversary 
almost immediately become irrelevant, as summarized in Lemma 0 

Lemma 3. The result of the first re-encrypting mix-net operation depends only 
on the values of the lists and tags encrypted in the ballots, not on the ballots 
themselves. 

Thus, the only effective difference between a general adversary that chooses its 
ballots and a comparatively ideal adversary that chooses its list of candidates 
and then participates in the protocol is that the general adversary can specify its 
tags arbitrarily (but not to collide spuriously). By a straightforward but tedious 
argument, one can show the following: 

Lemma 4. Given a set of well-formed ballots, corresponding to a set of lists of 
candidates, with no spurious tag collisions, and sequence of candidate elimina- 
tions, the vote counts produced at each round will be the same as that produced 
by the ideal vote-counting algorithm on these lists of candidates. 

Hence, the (partial) freedom to choose the tag values is irrelevant to the inter- 
mediate counts of the protocol. 

The above Lemmas imply the correctness of our (idealized) protocol. 

Privacy. The methodology of the previous section can be extended to simulta- 
neously establish privacy as well. Consider the view of the adversary attempting 
to corrupt the election. At the time it selects its ballots, it has only seen proba- 
bilistic encryptions of the good voters’ lists and tags, and zero-knowledge proofs 
on these values. As with the proof of Lemma El we can simulate this view with 
simulated proofs on random committed values. It remains to simulate the views 
of the later parts of the protocols. As before, we use the extraction property of 
the proofs to extract the lists {L'} and tags {£'} specified by the adversary. By 
the previous section (particularly Lemma EJ) , once the ballots have been con- 
structed and tested, these values are the only aspects that are relevant to future 
steps of the protocol. 

We consider the view of the adversary in the ideal and actual settings. In 
the ideal setting, the adversary sees {L'} and {£'} and then sees the sequence 
of intermediate vote counts (one initial, and one for each elimination phase). 
In reality, the adversary sees a sequence of “snapshots” consisting of encrypted 
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values output by the mix net, of which some subset are revealed at each stage, 
as specified by the protocol and which candidates are eliminated. Additionally, 
there is the adversaries view of the actual secure computations we are invoking, 
but these are assumed to be simulatable. Lemma Instates that one can simulate 
the snapshots given the information available in the ideal model. 

Lemma 5. Given the vote lists {!/} and tags {t 1 } given by the adversary, and 
the sequence of vote totals generated in each elimination phase, and the identities 
of each eliminated candidate, one can in probabilistic polynomial time generate 
simulations of the output of each secure computation operation that are compu- 
tationally indistinguishable from the outputs of the protocol. 

The proof is a tedious but straightforward hybrid argument. 

5 Discussion 

Receipt Freeness: One of the more obvious deficiencies of this protocol is its 
lack of receipt-freeness. It seems likely that, at the cost of modestly greater com- 
plexity, one can make a receipt-free version of this protocol using standard tech- 
niques (though we do not claim such a result). The natural approach would be 
for voters to interact with a voting entity to securely compute a ballot; the voter 
inputs its preferences, but has no more knowledge of the proofs and encryptions 
than if another voter had cast a ballot with the same preference list. While gen- 
eral secure computation is impractical, the operations required for constructing a 
ballot, namely creating randomized encryptions for the candidate names, random 
tags and proofs of equality of these tags, are quite amenable to this approach. 

Practicalities: It should be pointed out that we have ignored an entire space 
of trust and security issues, assuming for example that voters have completely 
trustworthy implementations of their part of the protocol. We view this work as 
an early step towards efficient preference-based voting. 

Extension to multiple winners: This protocol only covers the case of an 
election with a single victor. If the election is for multiple seats, winners get 
“eliminated.” They keep a quota’s worth of first-choice votes, with the surplus 
getting redistributed with a fractional weight. From this protocol, a STY proto- 
col, which modifies this protocol by preserving preference hiding and using the 
same ideas for link forwarding, but taking the fractional redistribution of votes 
into account, may arise. 

Handling multiple losers and Write-in votes: It may be foreseeable that a 
number of candidates with relatively small tallies of votes will not be able to garner 
enough votes to win the election. In this protocol, the votes have to be reshuffled 
after each elimination, or authorities may reveal significant link information. We 
would like to modify this protocol so that multiple losing candidates can be re- 
moved efficiently. This would also allow for the inclusion of write-in candidates. 
Write-in candidates with a significant number of votes will stay in the vote pool, 
while the occasional sporadic write-in vote will be eliminated promptly. 
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Incomplete Voting: A voter may not need to fill out a complete ballot, instead 
opting for ranking i-out-of-fc candidates. In San Francisco elections, for example, 
voters select only three out of k candidates when voting. This scheme is adaptable 
to such an incomplete vote, so long as voters post one key per candidate. Each vote 
listing t candidates will take 0(tk) bits. Schemes that encode a full list of choices 
in one ballot will now require at least log(fcl) + 1 bits. If t is sufficiently small, then 
this system also improves on the space efficiency of previous schemes. On the other 
hand, the privacy of some ballots will be compromised, as terminal choices will 
appear in the primary pool of votes; counters may be able to reconstruct ballots 
consisting of only eliminated candidates. One potential solution to this is to have 
a voter post dummy choices to fill out the ballot. 
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Abstract. Encryption schemes that support computation on encrypted 
data are useful in constructing efficient and intuitively simple cryp- 
tographic protocols. However, the approach was previously limited to 
stand-alone and/or honest-but-curious security. In this work, we apply 
recent results on “non-malleable homomorphic encryption” to construct 
new protocols with Universally Composable security against active cor- 
ruption, for certain interesting tasks. Also, we use our techniques to 
develop non-malleable homomorphic encryption that can handle homo- 
morphic operations involving more than one ciphertext. 

1 Introduction 

Computation on encrypted data is one of the most intriguing problems in cryptog- 
raphy today. There is a long history of works investigating this problem in various 
general settings [J 0 , 0 . 0 , E, E, E E E E > as well as i 11 relation to specific 
computational tasks (e.g., searching on encrypted inputs 0, H, E E E E E 
E E ) ■ As demonstrated by these works, being able to compute on encrypted 
inputs leads to simple intuitive protocols for many cryptographic tasks. 

However, compared to some of the core areas in cryptography like encryption, 
authentication and secure multi-party computation, the state of the art for com- 
putation on encrypted inputs remains quite limited. The majority of encryption 
schemes that allow computations on encrypted data are only known to achieve 
security against chosen-plaintext attacks. As such, protocols that manipulate 
encrypted data often have to employ complicated machinery of zero-knowledge 
proofs and/or distributed key management to provide protection against mali- 
cious participants. Similarly, issues like composability of protocols have hardly 
been explored for this problem. 

In this work we take a closer look at the composability and non- malleability 
aspects of computation on encrypted data. Our goal is to construct protocols 
that are secure in the demanding setting of Universally Composable (UC) secu- 
rity 0 . The main challenge is in forbidding a malicious party from manipulating 
encrypted data in unwanted ways. The traditional solution to this problem is 
to use zero-knowledge proofs to enforce honest behavior. However, general zero- 
knowledge proofs are not possible in the UC framework. 

* Partially supported by NSF grant CNS 07-47027. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 216 |233] 2008. 


Towards Robust Computation on Encrypted Data 217 


Instead, our approach is to restrict malicious parties’ capabilities via strong 
non-malleable guarantees on the encryption scheme itself. This approach has the 
additional benefit that shifting some of the security burden to the encryption 
scheme allows us to construct conceptually simple protocols that still achieve 
strong security against malicious parties. 

Requiring “non-malleability” for an encryption scheme may seem counter- 
productive to the goal of computing on its encrypted data. Indeed, a scheme 
must necessarily be malleable in some way for its encrypted data to be manip- 
ulated. However, a security notion called Homomorphic- CCA (HCCA) security 
has recently been defined in a, meaningfully combining homomorphic com- 
putational features and non-malleability. Briefly, a scheme that achieves HCCA 
security is homomorphic with respect to certain operations, but explicitly forbids 
all other manipulations to the underlying plaintext. 

The HCCA security requirement is strong enough to be meaningful in the 
UC framework, but unlike general-purpose UC zero-knowledge proofs, can be 
achieved in the plain model. Indeed, such a scheme has been constructed in 
a , under a standard assumption. However, that construction only supports a 
very limited class of homomorphic operations. In particular, it does not support 
operations which combine multiple encrypted inputs, which are relevant in the 
context of computation on encrypted data. Our contribution in this work is to 
show that when used with appropriately encoded data, the relatively unexpres- 
sive scheme from a can be used to robustly implement more sophisticated 
computations on data encrypted in multiple ciphertexts. 

1.1 Overview of Our Results 

Background: Non-Malleable Homomorphic Encryptions. Computation on en- 
crypted data necessitates having an encryption scheme that supports some ho- 
momorphic operations. However, when considering security against malicious 
parties, a non-malleability requirement is also generally needed. 

A key component in our constructions is a public-key encryption scheme that 
meaningfully combines both non-malleability and homomorphic operations. Such 
schemes were introduced in & We review the relevant security definitions for 
these schemes in Section |21 For the purposes of this overview, the reader may 
consider a “non-malleable (unary) homomorphic encryption scheme” to be one 
in which the only ways to construct a valid ciphertext are: (1) encrypting a 
known message, or (2) applying a homomorphic operation to some Enc(m) to 
obtain Enc(T(m)), for any function T in a set of allowed transformations. The 
set of allowed transformations is a fixed parameter of the encryption scheme, 
and it is infeasible for an adversary to generate a ciphertext whose value de- 
pends on other ciphertexts in any other way. Furthermore, ciphertexts derived 
via the homomorphic operation are completely indistinguishable (even to the 
recipient) from ciphertexts generated by the standard encryption operation. In 
0, a construction was given for a family of encryption schemes that support 
these requirements for a range of allowed transformation operations related to 
cyclic group operations. Our results do not rely on any additional properties of 
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that construction, but uses the primitive in a black-box manner, and as such, can 
be instantiated with the construction in Hi or any future construction satisfying 
the appropriate security requirements. 

The common technique in our constructions is to exploit the power of this en- 
cryption scheme as follows: We encode the input data with some special random- 
ized “integrity” information into a vector of several ciphertexts. The integrity 
information is intended to correlate the vector of ciphertexts together into one 
“bundle.” The homomorphic property of the scheme ensures that the integrity 
information and data can be manipulated in certain ways. For instance, in both 
of our main results, the integrity information can be “re-randomized” using the 
scheme’s homomorphic operations. 

When using a homomorphic non-malleable encryption scheme in a protocol, 
already by the non-malleability property of the encryption scheme, ciphertexts 
can only be derived from others using a certain limited class of operations. By 
employing an appropriate integrity encoding, we further enforce that among 
the small set of allowed operations, the only ones which preserve/maintain the 
integrity information are the legitimate operations prescribed by the protocol. 
In other words, the integrity encoding provides a means to give and verify an 
implicit zero-knowledge proof that the protocol is being honestly implemented. 

Opinion Polling. Our first result is an “opinion poll” protocol that elegantly 
illustrates the power of the combination of non-malleability, unlinkability and 
homomorphism in a single encryption scheme. The protocol is motivated by the 
following scenario: A pollster wishes to collect information from many respon- 
dents. However, the respondents are concerned about the anonymity of their 
responses. Indeed, it is in the interest of the pollster to set things up so that 
the respondents are guaranteed anonymity, especially if the subject of the poll 
is sensitive personal information. 

To help collect responses anonymously, the pollster can enlist the help of an 
external tabulator. The respondents require that the external tabulator too does 
not see their responses, and that if the tabulator is honest, then responses are 
anonymized for the pollster (i.e., so that he cannot link responses to respon- 
dents). The pollster, on the other hand, does not want to trust the tabulator at 
all: if the tabulator tries to modify any responses, the pollster should be able to 
detect this so that the poll can be invalidated. 

A relevant view of this problem is as an instance of a model that we call 
crypto- computing on third-party inputs — a model that extends the “crypto- 
computing” model from j23j. In this new model, the inputs to the computation 
are owned by a set of parties other than the client (who receives the output — 
the pollster in our case) and the server (who does the actual computation on 
encrypted data — the tabulator in our case). This separation of roles introduces 
new security requirements: (1) Privacy for the input parties: the client should 
not learn anything other than the intended output value. The server should not 
learn anything either. (The input providers are not necessarily interested in the 
correctness of the computation.) (2) Robustness: a malicious server cannot make 
the client accept an output that is inconsistent with the parties’ inputs. 
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The opinion poll scenario is similar to the classic setting for mix- nets 
where a group of servers accepts a list of ciphertexts and outputs a random 
permutation of their decrypted values. However, in many mix-net protocols it 
can be quite complicated to enforce the correctness of outputs against a malicious 
(i.e., actively corrupt) server (in our case, the tabulator in particular). Often 
zero-knowledge proofs 0 , or distributed decryption via verifiable secret sharing 
are used to enforce the integrity of operations performed on the ciphertexts. In 
contrast, our use of non-malleable homomorphic encryption leads to a simple 
and elegant UC-secure protocol. 

The main idea in our protocol is to use an encryption scheme whose only 
homomorphic operation is Enc(o;, j3) i— > Enc (a,t/3), where t,a,/3 are elements of 
some cyclic group. In other words, plaintexts consist of a pair of group elements. 
Anyone can multiply (apply the group operation to) the second plaintext compo- 
nent with a known value t, but the first component is completely non-malleable, 
and the two components remain “tied together.” Now, to implement the opinion 
poll protocol, the pollster generates a (multiplicative) secret sharing n , . . . , r n 
of a random secret group element R, then sends to the *th respondent a share 
r,. Each respondent sends Enc (to.,, r, : ) to the tabulator, where is his response 
to the poll. Now the tabulator can blindly re-randomize the shares (multiply the 
ith share by a random Sj, such that s t = 1), shuffle the resulting ciphertexts, 
and send them to the pollster. The pollster will ensure that the shares encode 
the secret R and accept the results. 

Informally, security is argued as follows. The pollster only sees a random 
permutation of the responses, and since the multiplicative sharing of R is re- 
randomized, there is no way to link any responses to the r% shares he originally 
dealt to the respondents. The tabulator sees only encrypted data, and in par- 
ticular has no information about the secret R or any individual shares r, . The 
only way the tabulator could successfully (with non-negligible probability) gen- 
erate ciphertexts whose second components are a multiplicative share of R is 
by making exactly one of his ciphertexts be derived from each respondent’s ci- 
phertext. By the non-malleability of the encryption scheme, each response m* 
is inextricably “tied to” the corresponding share r,; and cannot be modified, so 
each respondent’s response should be represented exactly once in the tabulator’s 
output. Finally, observe that the responses of malicious respondents must be in- 
dependent of honest parties’ responses - by “copying” an honest respondent’s 
ciphertext to the tabulator, a malicious respondent also “copies” the correspond- 
ing r j . The resulting shares would be inconsistent with overwhelming probability. 

We also show a similar protocol where the computation performed is a boolean- 
OR of the respondents’ boolean inputs (where the tabulator also provides an in- 
put) . Again, the non- triviality in these constructions is not in the complexity of the 
computation performed, but in ensuring (using only the properties of the encryp- 
tion scheme, and in particular no zero- knowledge proofs) that a malicious server 
cannot do anything unwanted without detection. 

Binary Homomorphic Encryption. Our second contribution is an extension of 
the non-malleable homomorphic encryption scheme of 0 . The scheme of 0 
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is homomorphic in an inherently unary way; it prohibits operations that com- 
bine multiple ciphertexts together in a homomorphic way. However, many 
existing applications of (plain) homomorphic encryption schemes rely on com- 
bining multiple ciphertexts together. Unfortunately, in [5^, it was shown that 
it is impossible to achieve the natural extension of the security definitions to 
the setting where the homomorphic operations act on multiple ciphertexts. 
The complication arose from the tension between the non-malleability require- 
ment and the unlinkability requirement (namely, that a ciphertext not leak 
whether it was derived as a normal encryption or via one of the homomorphic 
operations). 

In this work, we show that a meaningful relaxation of these definitions can be 
achieved. Instead of settling for absolute unlinkability, we consider a relaxation 
similar to that used in j23], in which ciphertexts grow in size after applying 
the operations. Thus, a ciphertext will reveal no more than (an upper bound 
on) the number of homomorphic operations that have been applied to derive it. 
However, unlike in 0, our goal is to achieve non-malleability and robustness 
against malicious adversaries. 

We construct an encryption scheme that supports the binary group operation 
in a cyclic group; i.e., anyone can transform Enc*(a) and Enc*(/3) into Enc*(a/3), 
but the scheme is otherwise non-malleable. Lacking a “standard” security defi- 
nition for such an encryption scheme, we prove that our construction is a UC- 
secure realization of a natural ideal functionality, whose details are motivated 
by extending the UC functionality considered in m 

The main idea in our construction is to encode a message m as a vector 
Enc(mi), . . . , Enc(mfc), where the m,;’s are a random multiplicative sharing of m 
in the group, and Enc is a non-malleable homomorphic encryption scheme that 
supports (unary) group operations (from ji3|). To “multiply” two such encrypted 
encodings, we can simply concatenate the two vectors of ciphertexts together, 
and rerandomize the new set of shares (multiply each component by s,;, where 
EL Si = 1, as in the opinion poll protocol) to bind the sets together. 

The above approach captures the main intuition, but our actual construction 
uses a slightly different approach to ensure UC security. In the scheme described 
above, anyone can split the vector Enc(mi), . . . , Enc(rrtfc) into two smaller vectors 
that encode two (random) elements whose product is m. We interpret this as a 
violation of our desired properties, since it is a way to make two encodings whose 
values are related to a longer encoding. To get around this problem of “breaking 
apart” these ciphertexts, we encode m as Enc(aq , di), . . . , Enc (afc,/3fc), where the 
oti s and d^s form two independently random secret sharings of m. Rerandom- 
izing these encodings is possible when we use a scheme that is homomorphic 
with respect to the operations (a, /?) i-> (ta, s/3). Now these encodings cannot 
be split up in such a way that the first components and second components 
are shares of the same value. Note that it is crucial here that because of the 
non-malleability properties of the scheme, the (a:* ,/?j) pairs cannot themselves 
be “broken apart.” 
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2 Preliminaries 

Homomorphic Encryption Syntax and Security. Our constructions use homo- 
morphic encryption schemes that have unary homomorphic operations on the 
plaintext messages. That is, we suppose there is a procedure CTrans, which 
takes a ciphertext and a (description) of a function T on plaintexts, such that 
Dec5if(CTrans(C, T)) = T( De c <?k -(Q) is satisfied. 

Prabhakaran and Rosulek [2£j introduced security definitions for homomor- 
phic encryptions that combine non-malleability as well as robust homomorphic 
features. Schemes satisfying these definitions are vital for achieving UC security 
in our constructions. We present a high-level overview of their security definitions 
below; we refer the reader to Appendix 0 for the complete formal definitions. 

Informally, a homomorphic encryption scheme achieves Homomorphic-CCA 
(HCCA) security with respect to a set of functions T if the scheme is non- 
malleable except for the possibility of changing an encryption of m into an 
encryption of T(m), for T £ T (i.e., no other operations are possible in the 
scheme). We also consider the complementary requirement: Informally, a homo- 
morphic scheme is unlinkable with respect to T if it is indeed possible to change 
encryptions of m into encryptions of T(m) for T £ T as a feature (using the 
CTrans operation), in such a way that ciphertexts do not reveal whether they 
were generated via Enc or via CTrans. 

Formalizing the intuitive HCCA requirement in a general way is non-trivial. It 
is achieved in by requiring that there be an additional procedure RigEnc PK 
(used only in the analysis) which outputs a special “rigged” ciphertext ( and 
some auxiliary information S, such that ( is indistinguishable from a normal ci- 
phertext. The rigged ciphertext does not necessarily encode a message; however, 
there is a corresponding procedure RigExtract sx which, when given another ci- 
phertext and the auxiliary information S, determines whether was obtained 
by applying a transformation to £, and if so, outputs that transformation. The 
formal HCCA security experiment enforces the indistinguishability of rigged and 
normal ciphertexts, as well as the correctness of RigExtract’s output. Intuitively, 
if RigExtract only outputs transformations in T, then ciphertexts can only de- 
pend on the values of other ciphertexts according to transformations in T. 

The unlinkability requirement is formalized via a more straight-forward se- 
curity experiment. At a high level, the experiment enforces that for all adver- 
sarially generated ciphertexts ( such that Decsx(C) ¥" -L, the two distributions 
Encpic(T(Decsj<:(C))) and CTransfy, T) are indistinguishable, even in the pres- 
ence of a decryption oracle. 

Concrete constructions. Prabhakaran and Rosulek give a construction achiev- 
ing the desired properties for various kinds of homomorphic operations, under the 
Decisional Diffie-Hellman assumption. 

Let G be a cyclic group, and let G” denote the product group, where we 
extend the group operation in G component- wise. For a £ G", define the function 
T a : G" — > G” as the “multiplication by <r” operation: T c ,(a) = aa. Finally, for 
any H C G”, define = {T a \ a £ H}. 
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Theorem 1 (©)• For any n > 1 and any subgroup H of G”, there is an en- 
cryption scheme with message space G" that is simultaneously HCCA-secure and 
unlinkable, with Fa as the set of allowed operations, provided that the Decisional 
Diffie- Heilman (DDH) assumption holds in G and any subgroup o/Z* G |. 

Our two main results use instantiations of the above construction with n = 2, 
and H = {1} x G and H = G 2 , respectively. 


3 Opinion Polling 

We describe an intuitively simple yet robust protocol for the opinion polling 
application described in Section OJ using HCCA encryption as a component. 

Formally, we give a secure protocol for the UC ideal functionality F p0 \\, de- 
scribed in Figured For the opinion polling application, we associate the pollster 
with party P c iient, the tabulator with P se rver , and the respondents with the input 
parties Pi, . . . ,P„. Note that in P p0 n, Pdient learns only a random permutation 
of the parties’ inputs, while P serv e r learns nothing about their inputs (except the 
knowledge of who has submitted inputs). Also, P se rver and each input party can 
cause the process to abort without P c ii en t accepting any output. 


On input [SETUP, Pciient, Pserver, Pi , . . . , P n ] from party P c |i e nt: 

- Send [setup, Pdient, Pserver] to each party Pi. 

- Send [SETUP, Pciient, Pi, . . . , P n \ to Pserver. 

On input [INPUT, Xi] from input party p: 

- Send [inputfrom, Pi] to Pserver, and remember x,,. 

On input “OK” from Pserver: 

— If Pserver is corrupt, expect to receive from Pserver a permutation cr on {1, ... , n}. 
If Pserver is honest, choose a at random. 

— If not all Pi, ... ,P n parties have supplied an input, or if some x-i = A. then 
send _L to Pdient- 

— Otherwise, give (a; CT (i), ■ ■ ■ , ®o-(n)) to Pdient- 

On input “cancel” from a corrupt Pserver, send _L to Pdient- 


Fig. 1. UC ideal functionality P po ii 


The Protocol. We present our protocol for P po n following the high-level overview 
given in Section Ol We then prove that the protocol is a UC-secure realization 
of Ppoii, provided that at least one of {Pciient, Pserver} are honest. 

Let £ = (KeyGen, Enc, Dec, CTrans) be an unlinkable HCCA-secure scheme, 
whose message space is G 2 for a cyclic group G, and whose allowed (unary) 
transformations are (a. (i) i— > (a,t/3) for all t £ G. We suppose the CTrans 
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operation accepts arguments as CTrans(C l , t), where t £ G specifies the transfor- 
mation (a, (3) i — ► (a,t/3). We abbreviate the CTrans(C, t) operation as “t * C”. 
Thus t* Encpif(a,/3) is indistinguishable from Encpp-fa, t0), in the sense of the 
unlinkability definition. 

The protocol proceeds as follows: 

1 • -^client generates a key pair (SK, PK ) <— KeyGen and chooses random elements 
n,. . .,r n <— G, remembering R = fl,; r i- She then sends (PK, n, P ser ver) to 
each party Pi, and sends (Pciient, Pi,---, Pn) to P se rver- 

2. Input party Pi holds input Xi . He receives (PK,ri, P server ) from P c iient) then 
sends Enc pK(xi,ri) to P ser ver through a secure channel. 

3. Pserver collects ciphertext C t from each input party Pj, then chooses a random 
permutation a on [n\ and random si, . . . , s n <— G subject to s % = 1- He 
computes C[ = s a ^ * C^a and sends (C ' x , . . . , C' n ) to P c ii e nt- 

4. Pciient decrypts each C- as (x(, rl) <— Dec sk(CI). If any decryptions fail, or if 

Ili r i¥ z R, she aborts. Otherwise, she outputs a;^)=(a; cr (i), . . . , x a ^). 

Theorem 2. If £ is unlinkable and HCCA-secure with message space G 2 , and 
allowed transformations as described above, where |G| is superpolynomial in 
the security parameter, then our protocol is a secure realization (with respect 
to static corruptions) of P po ii, against adversaries who corrupt at most one of 
{Pserver, Pc, lent}- 

Proof Given a real-world adversary A, we construct a simulator S. We break 
the proof down into 3 cases according to which parties A corrupts: 

Case 1: If A corrupts neither P ser ver nor P c ii e nt, then suppose by symmetry 
that A corrupts some input parties P[,. .. ,T\- Then the main task for S is to 
extract the inputs of each corrupt Pj and send them to P p0 ii. S simply does the 
following: 

— On receiving [setup, Pciient, Pserver, Pi, ... , P n ] from Ppoii, generate (PK , SK) 
<— KeyGen. Choose random r\,...,rk <— G and simulate that P c ii en t sent 
(. PK , n, Pserver) to each corrupt input party Pj,. 

— If not all corrupt parties P, send a ciphertext C 1 ,; to P se rver, then abort. Oth- 
erwise, set (xi,^) <— Dec 5 x(C'j). 

— If any of the above decryption fails, or if r' ^ r i, then send [input, _L] 
to Ppoii on behalf of each corrupt input party Pi. 

— Otherwise send [input, &*] to P po n on behalf of each corrupt input party Pj. 

It is straight-forward to see that in the cases where S sends [input, _L], then by 
the honest behavior of P se rver and Pciient, the protocol would have mandated that 
Pciient refuse the output. 

Case 2: If A corrupts P c ii en t and (without loss of generality) input parties 
Pi, . . . , Pfc, then S does the following: 

— When corrupt P c ii en t sends (PK, n, P ser ver) to each honest input party Pj, 
send [SETUP, Pciient, Pserver, Pi, ... , P n ] to P po || On behalf of Pciient- 
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— When a corrupt input party P* sends a ciphertext C\ to honest P S erver, send 
[input, 1] to Pp 0 ii on behalf of P,. 

— When Pp 0 n gives the final output to S, remove as many l’s from the output 
list as there are corrupt input parties. Call the remaining outputs Xk+i, 
. . . ,x n . Honestly simulate the remainder of the protocol on behalf of the 
honest input parties, using Xi as the input for honest party Pi . 

Since P c ii en t is corrupt, S can legally obtain the set of honest input parties’ 
inputs. The only difference therefore between the view of A in the real world 
and our simulation is that the honest parties are simulated with inputs that 
may be permuted. However, since P se rver is honest, P c ii e nt’s view in the protocol 
is independent of any permutation on the honest parties’ inputs. 

Case 3: If A corrupts P se rver and input parties Pi, , Pk, then S does the 
following: 

— When jFpoii gives [setup, P c iient, Pi, ■ ■ ■ , P n \ to S, generate ( PK,SK ) <— 
KeyGen. Pick random n, . . . , r n <— G and simulate that P c iient sent (PK , r,, 
-Pserver) to each corrupt P t . 

— When jrp 0 || gives [inputfrom, P,} to S for an honest party (i > k), generate 
(Cj, Si) <— RigEncp^ and simulate that P t sent C\ to P server . Remember S{. 

— When Pserver sends Pciient a list of ciphertexts ( C [ , . . . , C'J, do the following 
for each i: 

• If Dec sK{C'i) ± T, then set (%,r£) <— Dec sk(CI). 

• Else, if RigExtract SK ((7', Sj) A -L for some j, set r[ := r,; • RigExtract SJf 

(Ci,Sj). 

• If both these operations fail, send cancel to P po ii on behalf of P se rver- 
If n, r i 7^ Ui r * or i° r some j > k, there is more than one i such that 
RigExtract j'p-fC 1 ', Sj) A _L, then send cancel to P po n on behalf of P se rver- 
Otherwise, let a be any permutation on [n] that maps each j > k to the 
unique i such that RigExtract s/f (G', S 3 ) A -L- Send [input, x a (i)] to P po n on 
behalf of corrupt Pi (i < k), and then send OK to P po n on behalf of P se rver, 
with a as the permutation that P po n expects. 

In this case, the primary task of S is to determine whether the corrupt P se rver 
gives a valid list of ciphertexts to P c ii e nt- Applying the HCCA definition in a se- 
quence of hybrid interactions, we see that the behavior of the real world interac- 
tion versus this simulation interaction is preserved when appropriately replacing 
Enc/Dec with RigEnc/RigExtract. 

Note that the adversary’s view is independent of rk+i, ■ ■ ■ , r n . If DecsR-(C') A 
_L, then the corresponding r' value computed by the simulator is also indepen- 
dent of rfc+i, . . . , r n . Thus the only way r Vi = EL r\ can be satisfied with 
non- negligible probability is if for each honest party Pj, exactly one i satisfies 
RigExtract Sif (C-, Sj) ± T. In this case, there will be exactly as many x*’s as cor- 
rupt players, and the simulator can legitimately send these to Tp 0 ii as instructed 
(with the appropriate permutation). 


Boolean OR on Encrypted Data. Using a similar technique, we can obtain a UC- 
secure protocol for a boolean-OR functionality. This functionality is identical 
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to JEpoi, except that P serve r also gets to provide an input (say we identify P se rver 
with P 0 ), and instead of giving (* B ( 0 ), . . . , £ CT ( n ))> it gives \/ i Xi as the output to 
Pdienf 

We can achieve this new functionality with a similar protocol — this time, 
using an encryption scheme that is unlinkable HCCA-secure with respect to all 
group operations in G 2 . P c ii e nt sends shares r, : to the input parties as before. The 
input parties send EncpK^x*, I'i) to P ser ver, where Xi = 1 if P,;’s input is 0, and Xi 
is randomly chosen in G otherwise. Then, P server rerandomizes the r,; shares as 
before, and also randomizes the Xj’s in the following way: P serv er multiplies each 
Xi by Si such that n* s * = 1 ^ ^server’s input is 0, and Hi s i is random otherwise 
(Pserver can randomize both sets of shares simultaneously using the homomorphic 
operation). P c ii en t receives the processed ciphertexts and ensures that Y\ i r[ = 1. 
Then if JJ. x\ = 1, it outputs 0, else it outputs 1. 

We note that this approach to evaluating a boolean OR (where the induced 
distribution is a fixed element if the result is 0, and is random if the result is 1) 
has previously appeared elsewhere, e.g., [3 0] 

Relation to Voting. Our opinion polling protocol falls short of a solution for the 
classic election scenario in several aspects. First, in our scheme, respondents can 
cause the entire protocol to abort. Second, the respondents have no stake in the 
correctness of the results; if the pollster publishes the entire set of responses, 
there is no way for respondents to verify its correctness. Respondents may sub- 
mit their vote accompanied by a randomly chosen nonce — this would allow a 
respondent to verify that his own response was included, but not that the entire 
set of responses is valid. Adding a publicly published nonce also allows trivial 
vote-selling. We finally note that an election protocol (in which all participants 
receive guaranteed correct results) is not possible in the plain UC model, given 
the impossibility results of a 

4 Non-malleable Homomorphic Encryption for Binary 
Operations 

In m , it was shown that no homomorphic encryption can be completely un- 
linkable and also allow a group operation over the message space as a binary 
homomorphic operation — that is, an operation that multiplies two encrypted 
group elements. Still, the impossibility result left open the possibility of achiev- 
ing a relaxation of these requirements. We consider a relaxation similar to 0; 
namely, we allow the ciphertext to leak the number of operations applied to it 
(i.e., the depth of the circuit applied), but ideally no additional information. 

Informally, we associate a length parameter with each ciphertext. If a length- 
£ and a length-P ciphertext are combined, then the result is a length £ + l' 
ciphertext. 

Security Definition. Our formal definition is in the form of an ideal functionality 
in the UC framework. It is a generalization of the “homomorphic message post- 
ing” functionality presented in a , to the case where multiple messages can be 
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The functionality keeps track of a database of records of the form (handle, !, m). 
Let GetHandle(orps) be a subroutine which sends [handle-req, args] to the ad- 
versary and expects in return a string handle. If handle is previously recorded in 
the database, abort; otherwise, return handle. 

Setup: On receiving a command [setup] from a party P\ If a previous SETUP 
command has been processed, abort. Else, send [id-req, P ] to the adversary, and 
expect in response a string id. Broadcast [id-ANNOUNCE, P, id] to all other parties. 

Dummy handles: On receiving a command [dummy,!, handle] from a corrupt party 
only, internally record (handle,!, _L) and broadcast [handle- announce, handle] to 
all parties. 

Posting messages: On receiving a command [post, !, mo, handlei, . . . , handle*,] from 
a party sender: If any handle* is not recorded internally, or mo 0 G, ignore the 
request. Otherwise, suppose (handle*, !*, msg,) is recorded for each i. If l < ]TL !*, 
ignore the request. Let L> = {j | m* = _L} C [k], the indices of the dummy handles. 
Set m* = mo * IligD the product of known plaintexts involved. 

— If D = 0 (no dummy handles involved): If P is corrupt, set handle* <— 
GetHandle(sender, !, m*); otherwise let handle* <— GetHandle(sender, !). Inter- 
nally record (handle*,!, m*) and broadcast [handle- ANNOUNCE, handle*] to all 
parties. 

— If ! > X)*gD (not entirely derived from dummy handles): If P is corrupt, set 
handle' <— GetHandle(sender, !',m*), else set handle' <— GetHandle(sender, !'). 
Internally record (handle', !', m*). 

Set handle* <— GetHandle(sender, !, (handle'} U {handle* | i € D}). Internally 
record (handle*, !, _L) and send [handle-announce, handle*] to all parties. 

— Otherwise (dummy handles only), Set handle* <— 

GetHandle(sender,£, mo, {handle* \ i e D }). Internally record (handle*,!, _L) 
and send [handle-announce, handle*] to all parties. 

Message reading: On receiving a command [get, handle] from party P (who gave 
the first SETUP command): If (handle, !, msg) is recorded internally, send msg to P; 
else send _L. 


Fig. 2. UC ideal functionality Tn, parametrized by a cyclic group G 

combined. The functionality, called Tg, is given in full detail in Figured Below 
we explain and motivate the details of the definition. 

The functionality allows users to post messages to each other, as on a bul- 
letin board. The messages are stored in the functionality’s memory, and are not 
given out except to the designated recipient. Instead, messages can be referred 
to using abstract handles, which reveal no information about the message. 

Following our desired intuition, users can only generate new messages in two 
ways (for uniformity, all handled in the same part of the functionality’s code). 
A user can simply post a message by supplying a group element m (this is 
the case where k = 0 in the user’s post command). Alternatively, a user can 
provide a list of existing handles along with a group element m. If all these 
handles correspond to honestly-generated posts, then this has the same effect as 
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if the user posted the product of all the corresponding messages (though note 
that the user does not have to know what these messages are to do this). We 
model the fact that handles reveal nothing about the message by letting the 
adversary choose the actual handle string, without knowledge of the message. 
The designated recipient can obtain the message by providing a handle to the 
functionality. Note that there is no way (even for corrupt parties) to generate a 
handle derived from existing handles in a non-approved way. 

However, (as in |2fSj | ) adversaries can also post dummy handles, which contain 
no message. When a user posts a derived message using such a handle, the 
resulting handle also contains no message. However, the adversary is also told 
that the handle was used in a derived post command. The adversary also gets 
access to an “intermediate” handle corresponding to all the non-DUMMY handles 
that were combined in the POST request. Still, the adversary learns nothing 
about the messages corresponding to these handles. This weakness is slight and 
natural, since the adversary could output a ciphertext encrypted under some 
key unknown to the other participants. The ciphertext would be meaningless to 
the other parties, but the adversary could also be able to detect when someone 
has derived another message using it. 

One may of course consider interactive protocols for Tq,. However, we restrict 
attention to non-interactive protocols obtained via encryption schemes — where 
KeyGen implements the setup command, Enc and CTrans implement the post 
command, and Dec implements the get command, all in the natural ways. 

The Construction. Let 8 = (KeyGen, Enc, Dec, CTrans) be an unlinkable HCCA- 
secure scheme, whose message space is G 2 for a cyclic group G, and whose allowed 
(unary) transformations are all group operations in G 2 . We suppose the CTrans 
operation accepts arguments as CTrans(C, (r, s)), where r,sG G specify the 
transformation (a, (3) m > ( ra,s/3 ). We abbreviate the CTrans(C, (r, .s)) operation 
as u (r,s)*C”. Thus (r, s)*Encp_R-(a, j3) is indistinguishable from Enc px{ra,s0), 
in the sense of the unlinkability definition. 

The new scheme 8* is given by the following algorithms: 

Key generation (KeyGen*). Same as KeyGen. 

Encryption (Enc*). To encrypt an element m £ G in a length-^ ciphertext, 
output 

C = ^Encpis:(Q!i,^i), . . . , Enc pic(ar, A)) 
where a,; , fJi are randomly chosen in G subject to the constraint n<«i = 

n iA = m. 

Decryption (Dec*). To decrypt a ciphertext C = (Ci , . . . , Ci), decrypt each 
C’i to get (cti, pi). If any decryption returns _L, or if a i / EL As output 
_L. Else output n i a i- 

Transformation operation (CTrans*). To “multiply” two given ciphertexts 
C = (Ci , . . . , Ci) and C' = (Ci , . . . , Cfj), output a random permutation of: 

((n,si) * Ci , . . . , (r e , S() * C e , (r e+ i,s e+ i) *C[,..., (r e+ t>, s e+ e>) * Cp) 
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where r*, s,; are randomly chosen in G subject to iL r i = ni* = i 
To “multiply” a single given ciphertext C = ( Ci , . . . , Cf) by a given known 
group element R e G (without increasing the ciphertext length), output: 

((n, si) * Ci, . . . , (r e , s e ) * C^j 

where n, s* are randomly chosen in G subject to n = s t = R. 

We note that the syntax of CTrans* can be naturally extended to support mul- 
tiplying several ciphertexts and/or a known group element at once, simply by 
composing the operations described above. 

Theorem 3. If £ is unlinkable and HCCA-secure with respect to G 2 , where |G| 
is superpolynomial in the security parameter, then £* (as described above) is a 
secure realization of R&, with respect to static corruptions. 

Proof. Let £ = (KeyGen, Enc, Dec, CTrans) be the unlinkable HCCA-secure scheme 
used as the main component in our construction, and let RigEnc and RigExtract be 
the procedures guaranteed by HCCA security. 

We proceed by constructing an ideal-world simulator for any arbitrary real- 
world adversary A. The simulator S is constructed by considering a sequence of 
hybrid functionalities that culminate in Rq. These hybrids differ from Rq only 
in how much they reveal in their HANDLE- REQ requests to the adversary. 
Correctness. Note that R& only makes two kinds of handle- req requests: those 
containing a lone message, and those containing a list of handles. 

Let R\ be the functionality that behaves exactly as R<&, except that every time 
it sends a handle-req to the simulator, it also includes the entire party’s input 
that triggered the handle-req. Define <Si to be the simulator that internally 
runs the adversary A, and does the following: 

- When R\ gives (id-req,P) to Si, it generates a key pair ( PK,SK ) <— 
KeyGen and responds with PK. It simulates to A that party P broadcast 
PK. 

- When R\ gives a handle-req to Si, it generates the handle appropriately 
— with either Enz* PK or CTrans* on an existing handle, depending on the 
party’s original command which is included in the HANDLE-REQ. It simulates 
to A that the appropriate party output the handle. 

- When A broadcasts a length-^ ciphertext C, Si tries to decrypt it with 
Decg K . If it decrypts (say, to rn) , then Si sends a (post, t, m) command to 
Ri and later gives C as the handle; else it sends (dummy, £, C). 

Si exactly simulates the honest parties’ behavior in the real world interaction. 
By the correctness properties of £*, the outputs of the honest ideal- world parties 
match that of the real world, except with negligible probability; thus, real^*^ « 
IDEAL for all environments Z. 

Unlinkability. Let R2 be exactly like Ri, except for the following change: For 
requests of the form [handle-req, sender, I, to], R2 does not send the handles 
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that caused this request. That is, whereas P\ would tell the simulator that 
the handle is being requested for a POST command combining some non-dummy 
handles, P2 would instead act like sender had sent [post, l, to] (that this is closer 
to what J g does; internally behaving identically for such requests). Let S2 = «Si, 
since Pi is only sending one fewer type of HANDLE- REQ to the simulator. 

By a standard hybrid argument, we can see that IDEAlJ 1 5i « IDEAL^ 2 ^ 
for all environments Z. The hybrids are over the number of POST requests af- 
fected by this change. Consecutive hybrids differ by whether a single handle was 
generated by Enc* or by CTrans*. The only handles that are affected here are 
non-DUMMY handles, and thus ciphertexts which decrypt successfully under SK. 
Thus distinguishing between consecutive hybrids can be reduced to succeeding 
in the unlinkability experiment (by further hybridizing over the individual Enc 
ciphertext components). 

HCCA. If the owner P of the functionality is corrupt, then S2 is already a 
suitable simulator for Pg, and we can stop at this point. 

Otherwise, the difference between Pq and P2 is that Pg does not reveal the 
message in certain handle-req requests. Namely, those in which the simulator 
receives [handle-req, sender, £]. 

Let S3 be exactly like S2, except for the following changes: Each time S2 
would generate a ciphertext component via Enc pk(ch,P), S3 instead generates 
it with RigEncpjf. It keeps track of the auxiliary information S and records 
(S,a,/ 3 ) internally. Also, whenever S2 would decrypt a ciphertext component 
using Dec sk, S3 instead decrypts it via: 

, . _ j ( rot , s0) if any (S, a, 0) is recorded such that (r, s) <— RigExtractg^C, S) 

( Decsx (C) otherwise 

By a straight-forward hybrid argument (where distinguishing between con- 
secutive hybrids reduces to distinguishing in one execution of the HCCA exper- 
iment), we have that ideal ^ 2 s 2 ~ IDEAL 5 2 s 3 f° r environments Z. 

Suppose the internal records ( S,a,/ 3 ) are labeled as ( Sj,aj,( 3 j ) for j > 1 . 
Now for each handle-req request q sent to S3, we define J q to be the set of 
indices j such that ( Sj,aij,( 3 j ) was generated as a result of servicing request q. 

Each a, (3 is chosen randomly in G, subject to a constraint on some of their 
products, as prescribed by Enc* and CTrans*. However, the ciphertexts given to 
the adversary are generated by RigEncpp-, and thus independent of these random 
choices. In fact, the entire adversary’s view is (essentially) independent of the 
random choices of a, 8, subject to Y\j eJq O-j / 0j being fixed (we pessimistically 
assume that A knows this fixed value for each q). Put another way, fl ( a j/ 0 j) 
is uniformly distributed for a multiset J' if and only if for all q, all elements of 
J q have the same multiplicity in J' . 

We now examine when a ciphertext given by the adversary is successfully 
decrypted by the simulator (and thus given to the functionality as a POST instead 
of as a dummy handle). 

Given a ciphertext (sequence of HCCA ciphertexts) C = ( C \ , . . . , Cp), S3 first 
decrypts each Cj to obtain (cq, (ij) = D{Ci). The overall decryption 
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succeeds if n ii a i/Pi) = 1 - Let ./' be the multiset of indices j such that _L ^ 
RigExtractg^ (C*, Sj), with multiplicity for each i where this holds. The decryp- 
tion constraint above is uniformly distributed (and thus equality holds only 
with negligible probability) unless all elements of J q have the same multiplic- 
ity in J'. However, when all elements of J q have the same multiplicity in J ' , 
we may cancel all the otj/Pj terms in the constraint. What remains are terms 
of the form a*//?*, where (a*, /?*) <— Decsjj-(Cj), and terms of fi/sj, where 
(r,, <— RigExtractg^fC',, Sj). The ciphertext then decrypts successfully if and 

only if the constraint holds with respect to these remaining terms. 

Thus, we can consider a simulator £4 which behaves just like S3, except that 
when A outputs a ciphertext C = (C \, . . . , O#), it processes it as follows: 

— If some Ci is such that D(Ci) ='-’d^tlie ciphertext is invalid; send [DUMMY, C\ 
to the functionality. 

— Define J' as above. If for some q, the elements of J q do not all have the 
same multiplicity in J', the ciphertext is invalid; send [dummy, C] to the 
functionality. 

— Let I be the set of indices such that T 7^ (a„/ 3 ,) <— Decsrjc(C?»). If n» e j 
( cti/fti ) 7 ^ 1, then the ciphertext is invalid; send [DUMMY, C\ to the 
functionality. 

— Let ( ri,Si ) <— RigExtractg K (Cj, Sj) for each i £ I, If fl ig_i{ r i/ s i) 7 ^ 1) then 
the ciphertext is invalid; send [dummy, C\ to the functionality. 

— Otherwise, send [post, £, mo, {handle^ | j e J'}] to the functionality, where 
m o = llic/ a < FI ifSiU. 

Except with negligible probability, ^4 interacts identically with the function- 
ality as S3. However, note that S 4 does not actually look at the a j,f)j values 
that are recorded for each call to RigEnc. Thus <S 4 can be successfully imple- 
mented even if the functionality does not reveal m in messages of the form 
[handle- req, sender, £, m]. Therefore <S 4 is a suitable simulator for T<q itself, 
and ideal ss idealJ g 54 for all environments Z. 
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A Security Definitions for Non-Malleable Homomorphic 
Encryption 

The formal definitions in this section are summarized from (23] for reference: 

HCCA Security. The main security definition, called Homomorphic-CCA (HCCA) secu- 
rity, formalizes the intuition that a homomorphic encryption scheme is “non-malleable 
except for a certain set of operations.” The complete security experiment is given in Fig- 
ure0 and we give an overview and motivation below. 

Definition 1. A homomorphic encryption scheme is Homomorphic-CCA 
(HCCA) secure with respect to T if there are PPT algorithms RigEnc and 
RigExtract, where the range of RigExtract is T U {-L}, and such that for all PPT adver- 
saries A, the advantage of A in the IND-HCCA experiment ( Figure 01 is negligible. 

When b = 0 in the experiment, the adversary simply receives an encryption of his 
chosen plaintext msg*, and gets access to an unrestricted decryption oracle. However, 
when b = 1 in the experiment, instead of an encryption of msg*, the adversary receives 
a “rigged” ciphertext generated by RigEnc, without knowledge of msg*. Such a rigged 
ciphertext need not encode any actual message, so if the adversary asks for it (or any of 
its derivatives via the homomorphic operations) to be decrypted, the decryption oracle’s 
response must be compensated in some way, or else it would be easy to distinguish the 
6 = 0 from 6 = 1 scenarios. For this purpose, the RigEnc procedure also produces some 
(secret) extra state information, which makes it possible to identify (via the RigExtract 
procedure) all ciphertexts derived from that particular rigged ciphertext, as well as how 
they were derived. So in the 6=1 scenario, the decryption oracle first uses RigExtract 
to check whether the given ciphertext was derived via a homomorphic operation of the 
scheme, and if so, compensates in its response. For example, if the query ciphertext was 
derived by applying the T transformation, then the decryption oracle should respond 
with T(msg*), to mimic the 6 = 0 case. 

It is easily seen that if it is feasible for an adversary to modify an encryption of 
Enc(msg) into a related encryption Enc(T(msg)), but RigExtract never outputs T, then 
there is a way for an adversary to distinguish between 6 = 0 and 6 = 1 in the ex- 
periment. Thus by restricting the range of the RigExtract procedure in the security 
definition, we limit the feasible malleability of the scheme. 

Finally, because RigExtract uses the private key, as well as secret auxiliary infor- 
mation from RigEnc, we should provide an oracle for these procedures. We do so in a 
“guarded” way that keeps the auxiliary shared information hidden from the adversary 
in the experiment. 

Unlinkability. The second security definition, called unlinkability, formalizes of the nat- 
ural requirement that a ciphertext hides not only its plaintext, but also its “history” 
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Setup: Pick (PK, SK) KeyGen and give PK to A. 

Phase I: A gets access to the Decsjr(-) oracle and the following two “guarded” 
RigEnc and RigExtract oracles: 

GRigEnCpjfO = £ i, where (Ci,Si) <— RigEncp^, when called for the ith time 
GRigExtract S p-(C, i) = RigExtract sif (C, Si) 

Challenge: A outputs a plaintext msg*. We privately flip a coin 6 <— {0,1}. If 
b = 0, we compute £* <— Encpjr(msg*). If b m % we compute ((' , S') 
RigEnc PJf . In both cases, we give Cf to A. 

Phase II: A gets access to the same GRigEnc and GRigExtract oracles as in Phase 
I, as well as a “rigged” version of the decryption oracle RigDec. When 6 = 0, 
RigDec is simply the normal decryption oracle Decsic(-). When 6 = 1, RigDec 
is implemented as follows: 

Rj Dec m = ! T(WSgt) if± * T ^ RigExtract SK (C, S*) _ 

SK ^DecsK-(C) otherwise 

Output: A outputs a bit 6'. The advantage of A is Pr[6' = 6] — 


Fig. 3. IND-HCCA security experiment, parametrized by T 


Setup: Pick (PK, SK) <- KeyGen and give PK to A. 

Phase I: A is given access to the decryption oracle Decsif (•)• 

Challenge: Flip a coin 6 <— {0, 1}. A outputs a ciphertext ( and a transformation 
T 6 T. If Dec sk(C) = -L, do nothing. Else give C* to A where 


c* 


Encpjc(T(Dec S jf(C))) if 6 = 0 
CTrans(C,T) if 6 = 1 ' 


Phase II: A is given access to the decryption oracle Decsjc(-)- 
Output: A outputs a bit 6'. The advantage of A is Pr[6' = 6] — 


Fig. 4. Unlinkability security experiment, parametrized by T 


— i.e., whether it was generated as a normal Enc, or by applying the homomorphic 
operations to some other ciphertext. 

We note that the definition is more than just a correctness property, as it involves the 
behavior of the scheme’s algorithms on maliciously-crafted ciphertexts. The security 
experiment also includes a decryption oracle, making it applicable even to adversaries 
with chosen-ciphertext attack capabilities. 

Definition 2. A homomorphic encryption scheme is unlinkably homomorphic with 
respect to T if for all PPT adversaries A, the advantage of A in the unlinkability 
experiment (Figure^ is negligible. 
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Abstract. We consider the following problem: Given a commitment to 
a value a, prove in zero-knowledge that a belongs to some discrete set 
( I>. The set ( P can perhaps be a list of cities or clubs; often $ can be a 
numerical range such as [1,2 20 ]. This problem arises in e-cash systems, 
anonymous credential systems, and various other practical uses of zero- 
knowledge protocols. 

When using commitment schemes relying on RSA-like assumptions, 
there are solutions to this problem which require only a constant num- 
ber of RSA-group elements to be exchanged between the prover and 
verifier 0, 0, ITil |. However, for many commitment schemes based on 
bilinear group assumptions, these techniques do not work, and the best 
known protocols require 0(k) group elements to be exchanged where k 
is a security parameter. 

In this paper, we present two new approaches to building set-membership 
proofs. The first is based on bilinear group assumptions. When applied to 
the case where $ is a range of integers, our protocols require O ( lo lo k ) 

group elements to be exchanged. Not only is this result asymptotically bet- 
ter, but the constants are small enough to provide significant improvements 
even for small ranges. Indeed, for a discrete logarithm based setting, our new 
protocol is an order of magnitude more efficient than previously known ones. 

We also discuss alternative implementations of our membership proof 
based on the strong RSA assumption. Depending on the application, e.g., 
when $ is a published set of values such a frequent flyer clubs, cities, or 
other ad hoc collections, these alternative also outperform prior solutions. 

Keywords: Range proofs, set membership proofs, proofs of knowledge, 
bi-linear maps. 

1 Introduction 

In this paper we consider zero-knowledge protocols which allow a prover to 
convince a verifier that a digitally committed value is a member of a given 
public set. A special case of this problem is when to show that the committed 
value lies in a specified integer range. 

The first problem, which we denote the set membership proof, occurs for 
instance in the context of anonymous credentials. Consider a user who is issued 
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a credential containing a number of attributes such as address. Further assume 
the user needs to prove that she lives in a European capital. Thus, we are given 
a list of all such cities and the user has to show that she possesses a credential 
containing one of those cities as address (without of course, leaking the city the 
user lives in). Or, consider a user who has a subscription to a journal (e.g., the 
news and the sports section). Further assume that some general sections are 
to all subscribers of a list of sections. Thus, using our protocol, the user can 
efficiently show that she is a subscriber to one of the required kinds. 

The second problem, which we denote the range proof, also occurs often in 
anonymous credential and e-cash scenarios. For example, a user with passport 
credential might wish to prove that her age is within some range, e.g. greater 
than 18, or say between 13 and 18 in the case of a teen-community website. This 
problem is a special case of the set membership proof. Since the elements of the 
set occur in consecutive order, special techniques can be applied. 


1.1 Our Results 

Given a set $ = {$>%, 02, ■ ■ ■ , 4>n} and a commitmentQ C, a typical approach to 
the set membership problem is to use a zero-knowledge proof of the form 

“C is a commitment to the element </>i OR it is a commitment to <p 2 OR 
it is a commitment to 03 • ■ • OR it is a commitment to 0 n .” 

Even though there exist efficient algebraic £ (Sigma) protocols for handling a 
single such OR clause, such a proof still has length which is proportional to n. 
One might argue that such proofs necessarily have length proportional to n since 
the task of describing the set $ itself requires space n. 

However, in many practical situations, the set 4> is often specified in advance 
by the verifying party. In other words, <P can be considered a common input to 
both Prover and Verifier, and thus we might ask whether it is possible to prove 
a commitment is a commitment to an element of r I> without having to explicitly 
list <P in the proof. 

To the best of our knowledge, we are the first to propose such a scheme 
for general, unstructured sets. Our approach is incredibly simple. We provide 
a way to “encode” the set ^ in a way that allows for 0(l)-sized proofs that a 
committed element belongs to ( P. Specifically, we let the verifier specify ( P by 
providing “digital signatures” on the elements of <P under a new verification key 
vk. Now if we consider this set of digital signatures as a common input, the proof 
becomes a statement of the form: 

1 One might wonder what it means to say “the element committed to in C” when the 
commitment scheme is not a perfectly-binding one. In such a case, technically, the 
proof is only computationally sound — often called an argument instead of a proof. In 
other words, we assume that a computationally-bounded prover knows only one way 
to open the commitment C and cannot deduce other ways. Indeed, such protocols 
are technically called arguments instead of proofs. Since prior work refers to the 
problem as a “proof,” we continue to use that term. 
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“The prover knows a signature under vk for the element committed to 

in cr 

We provide two types of protocols that are instantiations of this idea. The first 
one is based on a bilinear-group signature scheme which enables an efficient way 
to make this proof. The second way is based on the Strong RSA assumption 
and uses the idea of cryptographic accumulators. In both cases, the actual proof 
of the statement requires 0(1) group elements to be exchanged between prover 
and verifier. 

The special case of Range proofs. A popular special case of the set membership 
problem occurs when the set T consists of a range [a, a + 1, a + 2, . . . , b] — which 
we denote [a, 6]. This problem has been well-studied because it occurs so often 
in practice. Indeed, under the Strong RSA assumption, there are very efficient 
proofs for this problem as we discuss in the prior work section below. However, 
in cases when the range is small or the same range is used in many protocol 
instantiations, our protocol will be more efficient (by a factor of about 8-10, 
depending on the group employed). 

If one is not willing to rely on the Strong RSA assumption, the folklore method 
to the problem of range proofs is to have the Prover commit to all k bits of his 
secret, prove that these commitments all encode either a 0 or a 1 and prove that 
the commitments indeed commit to all the bits of s. The verifier is then convinced 
that the secret lies in [0, 2 k+1 — 1] since there were only k commitments. The 
method can be generalized to any range. The size of such a proof is thus 0(k ) 
group elements. 

Using the simple idea of the set membership proof, we are able to reduce this 
size both asymptotically and in practice for many often-occurring ranges. Our 
simple idea is as follows: Instead of committing to the individual bits of the 
committed value, we write the secret value in base-u (for some optimally chosen 
u) and commit to these u-ary digits. If we only provide £ such commitments 
and prove that the secret can be written in u-ary notation, then we implicitly 
prove that the secret is in the range [0 ,t/]. A generalization of this technique 
can be used to prove that the secret is in [a, b] for arbitrary integers a and b. The 
key technique is to use the set-membership protocol in order to prove that each 
committed digit is indeed a digit in base-u. Writing the secret in base-u (instead 
of base 2) is indeed an obvious step. However, with prior methods, doing so does 
not reduce the proof size. With prior methods, proving that a committed digit 
is a u-ary digit requires a u-wise OR proof of size O(u): since this u-wise OR 
proof must be done £ times independently, prior methods require communication 
0(u-£). 

The key insight in our scheme is to design a scheme which can reuse part of 
one u-ary digit proof in all £ proof instances. Specifically, the verifier can send one 
list of u signatures representing u-ary digits, and the prover can use this same list 
to prove that all £ digits are indeed u-ary digits. Thus, the total communication 
complexity of our approach is 0(u + £). With well-selected values for u and £, 
we show that this approach yields a proof of size 0( |og [oR k ) which is both 
asymptotically and practically better than the only other known method. 
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Note that if the range is small or the same range is used for many protocols, 
then it is more efficient to employ the set membership protocol directly. 

1.2 Prior and Related Work 

Assume for concreteness the Pedersen commitment scheme over a prime order 
group. Let g, h be elements of a group G of prime order q. Let C = g s h r be 
the commitment that the prover has sent to the verifier, where s is the secret of 
which the prover want to show that it lies in a specific range and r is a randomly 
chosen element from 7L q . 

There are a number of known ways that a prover can convince a verifier that 
the secret committed in C lies in a given range assuming the hardness of the 
Strong (or sometimes called flexible) RSA problem. Let us review them here. 

The most frequent method used in practice is the following. First, the verifier 
picks a safe prime product n = (2p + l)(2q + 1) and two random quadratic 
residues g, f) modulo n, and proves to the prover that g € (f|) is true. Next, the 
verifier computes c = g s f) r mod n, sends this value to the prover and then runs 
the following protocol with him: 

PK{(s,r,r'): c = g s f) r (mod n) A C = g s h r A s G [— A, A]} 

The protocol is basically a generalized Schnorr proof (in a group of unknown 
order), where the verifier in addition to accepting the basic proof also verifies 
whether the answer corresponding to the secret s lies in [— A/2, A/2]. If it does so, 
then the verifier can conclude that the secret must lie in the range [—A, A] (this 
becomes apparent when one considers the knowledge extractor for the protocol). 
The drawback of this proof is that it in fact works only if the secret lies in the 
smaller range [— A2~( k +k \A2~^ k +k /, with k! being the number of bits of the 
challenge sent by the verifier and k" determining the statistical zero-knowledge 
property, i.e., the secret must be k' + k" bits smaller. Therefore the protocol 
cannot be used for situations where one has to show that a secret lies exactly in 
a given range. 

Boudot p provided an efficient proof that did not have this drawback. He used 
the observation that any positive number can be composed as the sum of four 
squares. Thus, to show that a secret s lies in [A, B], one just needs to show that 
the values si = s — A and s -2 = B — s are positive. So basically, what the prover 
has to do is to give commitments to si and s -2 and to the numbers S(i,i), . . . , S(i,4) 
and S(2,i), • • • , 8(2,4), the sum of whose squares are equal to si and s-2 respectively. 
Of course, if these commitments were, e.g., Pedersen commitments in a group of 
prime order q, them all we could conclude is that si and S 2 are the sum of four 
square modulo q, which is not very helpful. Luckily, Okamoto and Fujisaki □ 
have shown that when the commitments and the proof is done in a group where 
the order is not known to the prover, then these relations hold over the integers 
and thus one can really assert that si and S2 are positive. 

Thus, we get the following protocol: First the prover computes the following 
commitments C(vp = g s ( 4 ^> f) r C*A mod n for some randomly chosen 77jj) , sends 
these to the verifier and then engages in the following proof with him : 
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C(1,1) = A ... A c (1 ,4) = fl S( i’ 4 )^ r(1 ’ 43 A 

C(2,l) = 0 S < 2 -*>pa,b A ... A C(2,4) = fl S(2 ' 4) f) T ’ (2 ’ 4) A 
c/f| A = C(14)* (1,1) • • • C(i,4) S(1 ’ 4) f) r ” A q b / c = C( 2 ,i) 5(:M) • • • c ( 2,4) S(2l4) ff*A 
c = 0 s f) r (mod n) A C = g s h r } 

We see that this protocol requires the prover to compute 22 modular expo- 
nentiations (including the computations of the commitments) and the verifier 
to compute 12 modular exponentiations. The communication complexity is in 
about 35 group elements. Groth 0 optimizes this protocol by exploiting the 
fact that special integers can be written as the sum of 3 squares instead of 4 
squares. The major drawback of these approaches is that the Rabin and Shal- 
lit algorithm typically used to find the 4 (or 3) squares which sum to the secret 
takes time 0(k 4 ’) where k is the size of the interval. Lipmaa [H| provides another 
algorithm to find this squares that improves somewhat on the Rabin-Shallit one. 
However, in practice, these algorithms running times quickly make this approach 
preventive. 

Independently to our work, Teranishi and Sako 0 presented a /c-Times 
Anonymous Authentication in which they present a range proof using Boneh- 
Boyen signature scheme 0] , that can be obtained from our generalized set mem- 
bership. However their range proof does not compete with ours as our verifier 
publishes significantly less signatures. 

Schoenmakers [13, [jjj] studied and discussed several recursive relations which 
can be used to reduce the number of basic Schnorr proofs when committing to 
the individual bits of the secret. In particular, he writes the upper bound L of the 
positive range [0, L ) as either the product or the stun of two numbers. By doing 
this scheme recursively he decreased the amount of work needed. However the 
overall communication load in his protocols is still 0(k), where 2 fc_1 < L ^ 2 k . 
We note that some of his techniques for reducing certain ranges to other more 
convenient ranges can be used with any range proof technique. 

Micali, Kilian, and Rabin 0 considered a more general problem in which 
a polynomial-time prover wants to commit to a finite set <I> of strings so that, 
later on, he can, for any string x, reveal with a proof whether x £ $ or x 0 $ 
without leaking any knowledge beyond the membership assertions. In particular, 
the proofs do not even reveal the size of $ — much less the actual elements. Thus, 
these protocols are not directly comparable to ours. 

1.3 Organization 

In section E| we recall zero-knowledge proofs, A-protocols and define proofs of 
set membership and range proofs. In section C3 we describe our new signature- 
based set membership together with its corresponding proof. In section 0 we 
explain how to apply our new signature-based set membership for efficient range 
proof. We also emphasis on the communication complexity and show how our 
new range proof is asymptotically better. To have a better insight of our state 
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of the art, we provide a concrete example together with some comparison of 
previous work. In section 0 we recall cryptographic accumulators together with 
their proofs, and we describe our new accumulator-based set membership. 

2 Definitions 

Zero-knowledge proofs and ^-protocols. We use definitions from am. a 
pair of interacting algorithms (P, V) is a proof of knowledge (PK) for a relation 
R = {(a,/?)} C {0,1}* x {0,1}* with knowledge error k 6 [0,1] if (1) for 
all (a,/3) 6 R, V(a) accepts a conversation with P(/3) with probability 1; and 
(2) there exists an expected polynomial-time algorithm E, called the knowledge 
extractor, such that if a cheating prover P* has probability e of convincing V 
to accept a, then E, when given rewindable black-box access to P*, outputs a 
witness [5 for a with probability e — re. 

A proof system (P, V) is honest-verifier zero-knowledge if there exists a p.p.t. 
algorithm Sim, called the simulator, such that for any (a, /3) G R, the outputs 
of V(a) after interacting with P(B) and that of Sim(a) are computationally 
indistinguishable. 

Note that standard techniques can be used to transform an honest- verifier zero- 
knowledge proof system into a general zero-knowledge one □ . This is especially 
true of special U-protocols that will be presented later in the paper. Thus, for the 
remainder of the paper, our proofs will be honest-verifier zero-knowledge. (This 
also allows us to make more accurate comparisons with the other proof techniques 
since they are usually also presented as honest- verifier protocols) . 

A 17-protocol is a proof system (P, V) where the conversation is of the form 
(a,c,z), where a and z are computed by P, and c is a challenge chosen at ran- 
dom by V. The verifier accepts if <p(a, a, c,z) = 1 for some efficiently computable 
predicate <p. Given two accepting conversations ( a,c,z ) and (a. c' , z') for cf=c', 
one can efficiently compute a witness /?. Moreover, there exists a polynomial- 
time simulator Sim that on input a and a random string c outputs an accepting 
conversation (a, c, z) for a that is perfectly indistinguishable from a real conver- 
sation between P(/3) and V (a) . 

We use notation introduced by Camenisch and Stadler j§] for the various zero- 
knowledge proofs of knowledge of discrete logarithms and proofs of the validity 
of statements about discrete logarithms. For instance, 

PK{(a, /3, 7 ) : y = g a h^ A t) = fl a f ) 7 A (u < a < w)} 

denotes a “ zero-knowledge Proof of Knowledge of integers a, /?, and 7 such that 
y = g a h@ and t) = fl a l ) 7 holds, where v < a < u ,” where y,g,h,t),g, and () are 
elements of some groups G = (g) = (h) and <5 = (jj) = (fj). The convention is 
Greek letters denote quantities the knowledge of which is being proved, while all 
other parameters are known to the verifier. Using this notation, a proof-protocol 
can be described by just pointing out its aim while hiding all details. We note 
that all of the protocols we present in this notation can be easily instantiated as 
U-protocols. 
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Definition 1 (Proof of Set Membership). Let C = (Gen, Com, Open) be the 
generation, the commit and the open algorithm of a string commitment scheme. 
For an instance c, a proof of set membership with respect to commitment scheme 
C and set F is a proof of knowledge for the following statement: 

PK{(a, p) : c «— Com(cr; p) A a £ $} 

Remark: The proof system is defined with respect to any commitment scheme. 
Thus, in particular, if Com is a perfectly-hiding scheme, then the language Tg 
consists of all commitments (assuming that S is non-empty). Thus for soundness, 
it is important that the protocol is a proof of knowledge. 

Definition 2 (Range Proof). A range proof with respect to a commitment 
scheme C is a special case of a proof of set membership in which the set $ is a 
continuous sequence of integers <P = [a, b) for a,b £ N. 

3 Signature-Based Set Membership 

Here we present a new set membership protocol that is inspired by the oblivious 
transfer protocol presented by Camenisch, Neven, and shelat j§| . The basic idea 
is that the verifier first sends the prover a signature of every element in the 
set <P. Thus, the prover receives a signature on the particular element a to 
which C is a commitment. The prover then “blinds” this received signature and 
performs a proof of knowledge that she possesses a signature on the committed 
element. Notice that the communication complexity of this proof depends on 
the cardinality of <I > — in particular because the verifier’s first message contains a 
signature of every element in ( P. The rest of the protocol, however, requires only 
a constant number of group elements to be sent. The novelty of this approach 
is that the first verifier message can be re-used in other proofs of membership; 
indeed, we use this property to achieve our results for range proofs. 

Computational Assumptions. Our protocols in this section require bilinear 
groups and associated hardness assumptions. Let PG be a pairing group genera- 
tor that on input l k outputs descriptions of multiplicative groups Gi and Gt of 
prime order p where |p| = k. Let G* = Gi \ {1} and let g £ G*. The generated 
groups are such that there exists an admissible bilinear map e : Gi x Gi — > Gt, 
meaning that (1) for all a,b £ Z p it holds that e(g a , g h ) = e(g, g) ab : (2) e(g, g) ^ 
1; and (3) the bilinear map is efficiently computable. 

Definition 3 (Strong Diffie- Heilman Assumption Q). We say that the 
q-SDH assumption associated to a pairing generator PG holds if for all p.p.t. 
adversaries A, the probability that A(g,g x , . . . ,g x ) where (Gi,Gt) *— PG(l fc ), 
g «— G* and x «— Z p , outputs a pair (c,$V( x + e )) where c£Z p is negligible in k. 

A recent work by Cheon 0 shows a “weakness” in the q-SDH assumption. 
However, this “weakness” is not so relevant when q is a very small number like 
50 as it is in our paper. 
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Boneh-Boyen Signatures. Our scheme relies on the elegant Boneh-Boyen 
short signature scheme 0 which we briefly summarize. The signer’s secret key is 
x <— Z p , the corresponding public key is y = g x . The signature on a message m 
is a <— (j l /{ x + rn ) : verification is done by checking that e(cr, y ■ g rn ) = e(g, g). This 
scheme is similar to the Dodis and Yampolskiy verifiable random function 0- 
Security under weak chosen-message attack is defined through the following 
game. The adversary begins by outputting £ messages The challenger 

generates a fresh key pair and gives the public key to the adversary, together 
with signatures on mi, ... , ni{. The adversary wins if it succeeds in 

outputting a valid signature cr on a message m 0 {mi, . . . , rrif}. The scheme is 
said to be unforgeable under a chosen-message attack if no p.p.t. adversary A 
has non-negligible probability of winning this game. Our scheme relies on the 
following property of the Boneh-Boyen short signature 0 which we paraphrase 
below: 

Lemma 1 (0] (Lemma 3.2)). Suppose the q-Strong Diffie Heilman assump- 
tion holds in (Gi, Gt)- Then the basic Boneh-Boyen signature scheme is q-secure 
against an existential forgery under a weak chosen message attack. 

A Note on Protocol Clarity. In order to make our protocols more readable in this 
version, we do not specifically mention standard checks such as verifying that a 
received number is a prime, verifying that an element is a proper generator and 
in the correct group, and, specifically related to our protocols, whether all of the 
received verifier values are signatures, etc. Again, many of these checks only apply 
when compiling from honest-verifier zero-knowledge to full zero-knowledge; as 
we mentioned above, we only consider the honest case. 


Common Input: g, h, a commitment C, and a set <t> 

Prover Input: cr, r such that C = g a h T and a € &. 

p * y Y er ifi er picks x € r1i p and 

sends y <— g :r and A; <— g^+i for every i € d>. 

P v r V Prover picks v £r and sends V <— A”. 

Prover and Verifier run PK{(cr, r,v) : C = g a h r A V = g® +*} 
p a,p f y Prover picks s, t, m €r and 

sends a <— e(V,g)^ a e(g,g) t and D <— g s h m . 

P , c V Verifier sends a random challenge c Eh Z p . 

p z„,z v ,z r * y Prover sends z a <— s — ac, z v <— t — vc, and z r *— m— rc. 

Verifier checks that D = C c h Zr g z ” and 
that a = e(V,y) c ■ e(V,g) ■ e(g,g)* v 


Fig. 1 . Set membership protocol for set $ 
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Theorem 1. If the \<P\- Strong Diffie- Heilman assumption associated with a pair- 
ing generator PG holds, then protocol in Fig. Q is a zero-knowledge argument of 
set membership for a set ( P. 

Proof. The completeness of the protocol follows by inspection. The soundness 
follows from the extraction property of the proof of knowledge and the unforge- 
ability of the random function. In particular, the extraction property implies that 
for any prover P* that convinces V with probability e, there exists an extractor 
which interacts with P* and outputs a witness (a, r, v ) with probability poly(e). 
Moreover, if we assume that the extractor input consists of two transcripts, i.e., 

{y, {Ai}, V, a, D, c, c', z„, z! a , z v , z' v , z r , z' r }, 

the witness can be obtained by computing: 



The extractor succeeds when ( d — c ) is invertible in Z p . If a ^ ( P, then P* can 
be (almost) directly be used to mount a weak chosen-message attack against the 
Boneh-Boyen signature scheme with probability poly(e) of succeeding. Thus, e 
must be negligible. 

Finally, to prove honest-verifier zero-knowledge, we construct a simulator Sim 
that will simulate all interactions with any honest verifier V*, see Fig. |2| 


1. Sim retrieves y,{Ai} from V* . 

2. Sim chooses o Sr #, v Sr and sends V *— A” to V* . 

3. Sim chooses s, t, m Sr Z p and sends a <— e{V,g)~ s e{g,g) t and D <— g a h m to V*. 

4. Sim receives c from V* 

5. Finally Sim computes and sends z„ <— s — crc, z v <— t — vc, and z r <— m — rc to 
V*. 

Fig. 2. Simulator for the set membership protocol 

Since Gi is a prime-order group, then the blinding is perfect in the first 
two steps; thus the zero-knowledge property follows from the zero-knowledge 
property of the 17-protocol (Steps 3 to 5) . 

4 Range Proofs 

We now turn our attention to the range proofs. 

First note that the protocol for set membership can be directly applied to the 
problem of range proofs. This will not be efficient for ranges spanning more than 
a few hundred elements. However, if the particular range is fixed over many 
protocols as it might often be (as is for instance the case when one needs to 
prove that one is between 13 and 18 years old), then the verifier can publish the 
signatures once and for all. Thus, the proofs become just the second phase which 
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amounts to one pairing and two exponentiation for the prover and the verifier. 
This will be about a factor of 8-10 times more efficient than employing Boudot’s 
method. 

For the remainder assume, however, that the range is large or that the cost 
of publishing/ sending the signatures on the set elements cannot be amortized. 

Instead, our approach is to write the secret a in it- ary notation, i.e., a = 
Y,j a j • U' 7 . We may now easily prove that a G [0, i/) by simply providing (and 
proving) commitments to the u- ary digits of a. This problem, however, can be 
solved by repeating the basic set-membership protocol from above on the set 
[0,u — 1]. Moreover, the first verifier message, which requires the most commu- 
nication, can be re-used for each of the l digits. Assuming that a £ [0, B), the 
goal is thus to minimize the communication load under the constraint ir ^ B. 

4.1 Range Proofs From Our Signature-Based Set-Membership 
Protocol 

We first present how to prove that our secret a lies in [0,i/) (see Figure 0J. 
Write a in the base u to obtain t elements as such: a = JT ((TjU- 7 ). 


Common Input: 
Prover Input: 


g, h, u, i, and a commitment C 

a, r such that C = g a h r and a G [0, u e ). 


P 

P 

P 

P 

P 


77, f A d v Verifier picks a €rZ, p and 

sends y <— g x and A,: <— g*+* for every iEZ„. 
f V Prover picks Vj Gil 2% and 

sends Vj <— Aaj for every j 6 Zj, s.t. a = JV 

Prover and Verifier run PK {(<Tj,r, Vj) : C = h r A v i = } 


.V 

£ V 


Prover picks Sj . tj . rri.j G.r Z p for every j G 'Zi and 
sends a, <- e(Vj,g)~ s ^ e{g,g)^ and D <- n,- (s“ 3<y ) h m P 
Verifier sends a random challenge c Gii Z p . 

Prover sends z aj <— Sj — <TjC, z Vj <— tj — VjC for every j £ Zj, 

Verifier checks that D = C c h Zr ^g u3z< ’ i j and 
that aj = e(Vj,y) c ■ e(Vj,g)~ z,T J ■ e(g,g) Zv i for every j G Z; 


Fig. 3. Range proof protocol for range [0, u e ) 


Lemma 2. If the (log k)-Strong Diffie Heilman assumption associated to a pair- 
ing generator PG(l fc ) holds, there exists a zero-knowledge range argument for the 
range [0,t/) where u 1 < {0, l} fc_1 . 


244 J. Camenisch, R. Chaabouni, and a. shelat 
Proof. (Sketch) 

Completeness follows from inspection. As before, the soundness follows from 
the unforgeability of the Boneh-Boyen signature and the extraction property of 
the proof of knowledge protocol. The honest-verifier zero-knowledge property 
follows from the perfect blinding of the signatures in the first phase, and the 
corresponding honest- verifier zero-knowledge property of the 17-protocol. 


Remark: The prover will have to compute hi exponentiations. 

4.2 Communication Complexity 

The first message consisting of u signatures and a verification key sent by the 
verifier to the prover, is not counted as part of the protocol ((u + 1) • |Gi|). 
The prover then sends l blinded values back. Thus, the first phase requires 
Initi(u,l) = £ ■ G-j communication. The second phase of the protocol involves 
a proof of knowledge. The prover sends l+l first-messages of a 17-protocol. The 
verifier sends a single challenge, and the prover responds with 21 + 1 elements. 
Thus the overall communication load according to the parameters u and l is: 

Corn{uj:\ = l ■ (|Gi| + |G r | + 2 • |Z P |) + flGrl + 2 • |Z P |) (1) 

Finding the optimal u and l thus involves solving 

min ciu + c^l + C3 s.t. u l > B 

Notice that the bit-committing protocol corresponds to a setting where u = 2 
and l = k which leads to a total communication complexity 0(k). Since our 
protocol allows us to choose more suitable u, we first show that the asymptotic 
complexity of our approach is smaller than the prior protocols. 


Asymptotic Analysis. For the asymptotic analysis, we may ignore the con- 
stants ci,C2 and C3. Moreover, we can take B « p/2 as this is sufficient for 
showing that a committed value is “positive,” i.e., in the range [0, (p — 1/2)]. 
Since p/2 « 2 k , the constraint becomes u l 2 k ~ 1 . 

By taking logs and dividing, we have that l as j^|_. Setting u = then we 
get that 

U °(logfc)’ ^ ° (log/c - log log /c) 

resulting in a total communication complexity of 

CCT „(„,Q = o( i oet J oeIoet ) 


which is asymptotically smaller than O(k). 
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Concrete Optimization. Not only is our solution asymptotically better, but 
it also performs well for realistic concrete parameters. In order to perform the 
optimization for concrete parameters we substitute the constraint that u l w B 
into the equation u + i above. To minimize, we set the derivative with respect 
to u to 0 and attempt to solve the equation: 

C 2 log B 


which simplifies to 


ulog 


C 2 log B 
Cl 


(2) 


where ^ 10 when standard bilinear groups are used 0 . This equation can- 

not be solved analytically. However, given B. ci and C 2 , we can use numerical 
methods to find a good u as described in 0] . 


4.3 Handling Arbitrary Ranges [a, b ] 

The above protocol works for the range [0 ,u t ). In order to handle an arbitrary 
range [o, bh we use an improvement of a folklore reduction described by Schoen- 
makers in [HI and 0 . Suppose that i/ 1 < b < u ( . To show the a G [ a,b ], it 
suffices to show that 


<r G [a, a + u e ] AND <7 G [6 - u e , b] 

Proving that our secret lies in both subsets can be derived from our general 


b — ti? cl b a + u l 

proof that a G [0, u e ) as illustrated in the figure: 

cr G [b — u e , b) 4=> a — b + u l G [0, u e ) 
ae[a,a + u*)^a-ae[ 0,^). 

Note that the u signatures and the verification key need to be sent only once for 
both subsets. Since both a, b are public, the only modification necessary is the 
verifier’s check, which should now be: 

D l C c g~ B+ue h I] , D A C c g~ A h ^ J] (^) • 

i 3 

Thus, essentially 'M extra elements are sent in the protocol, and the prover will 
have to compute in overall 71 exponentiations. 
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This scheme can be further optimized when A+v/'~ l < B with an OR-compo- 
sition. Indeed, the decomposition becomes: 

[A,B) = [B-u e - 1 ,B)U[A,A + u e ~ 1 ). 

The needed modifications are similar to the previous case; the efficiency arises 
from the fact that we are now working with Z^_i. The length of the range set 
can also be optimized. Indeed if B — A = u e then the proof reduces to proving 
that cr — A e [0,?/). 

Combining this analysis with Lemma El yields the following theorem. 

Theorem 2. If the log k-Strong Diffie Heilman assumption associated to a pair- 
ing generator PG(l fe ) holds, there exists a zero-knowledge range argument for 
the range [a, b ] where 0 < a < b < {0, l} fc_1 whose communication complexity is 

°( lo gfc -lo glogfc )- 

4.4 Concrete Example and Discussion 

Let us discuss our protocol and compare it with other available solutions. The 
bottom line is the performance of the different methods depend on the applica- 
tion at hand as well as for the assumptions one is willing to make. Assume for a 
while, all assumptions are fine. Then, for very small intervals (a couple of bits), 
the standard bit-by-bit method and Schoenmaker’s method will probably be the 
most efficient one. For very large intervals, the method by Boudot will probably 
be the one of choice as it is mostly independent of the size of the interval. More 
precisely, it is independent for the verifier but not for the prover as the prover 
needs to rim the Rabin-Shallit algorithm to represent numbers as the sum of 
four squares and this algorithm has complexity 0(n 4 ) where n is the bit-length 
of the number to be decomposed. 

Having said that, our methods will typically be the most efficient one when 
the signatures can be made part of the system parameters, which is probably 
the case in many scenarios. Of course, at some point it will no longer possible 
to publish signature of all elements in the range and thats where one will have 
to restrict these signatures and employ the protocol in this section. When this 
becomes necessary, one will in practice to make a choice whether it is more 
efficient to use our algorithm or Boudot’s one, the other two will definitely be 
less efficient. 

If one is not restricted by the assumptions one is willing to make, the case 
is not so clear cut. Let us give a concrete example to shed some fight on this. 
If we pick B = 599644800 (which will represent people born before 1989, with 
their birth date encoded using the Unix Epoch system), we can find the optimal 
values of u and I by either computing them numerically or by following [§]. 
Both methods will lead us to u = 57 and I = 5, which minimize the overall 
communication load: 


Com; (57, 5) = 6 • |Gi| + 5 • |G r | + 12 • |Z P | 


(3) 
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Let us illustrate this optimization case with a concrete example. We will 
assume that an airline company wants to provide special offers to its young 
clients from a third party. However the exact age of clients should not be divulged 
to the third party. This offer targets those who are born between 1981 and 1989 
(not included). Following the previous example, the birth date will be a secret 
number between [347184000, 599644800). Here the best option will be to use the 
OR-composition as A + ir 1 < B (we know from the previous example that 
u = 57 and l = 5). Using parameters from Galbraith, Paterson, and Smart 0 , 
we estimate that the size of Gi is 256 bits, the size of G t is 3072 bits and the 
size of is upper-bounded by 256 bits. This leads to an overall communication 
load of: 

Comi{u = 57,£ = 5) = * • |Gi| + (2£- 2) • |Gr| + 4£ • |Z P | = 30976 bits (4) 

In order to have a better appreciation of this result, let us compare it to previous 
protocols: 


Scheme 

Communication Complexity 

Our new range proof 

30976 bits 

Boudot’s method 

48946 bits 

Standard bit-by-bit method 

96768 bits 

Schoenmaker’s method 

50176 bits 


Fig. 4. Communication load comparison for range proof [347184000, 599644800) 

Let us also discuss the computational complexities. For the verifier, the figure 
are about similar to the communication complexities as basically the verifier 
needs to do some computation with the elements received. For the prover it is 
about the same with the exception that for Boudot’s method where the prover 
needs to rim the Rabin-Shallit algorithms. Experiments show that the later 
algorithm dominates by far the other operations the prover needs to do. 

Now, when one does not want to resort to the (strong) RSA assumption, our 
methods is the only one that provides an efficient proof except when the interval 
is only a couple of bits. 

5 Alternative Set Membership Proofs 

The protocol in the previous section employed a set-membership proof as a 
building block. The set-membership proof protocol we presented in Section 0] has 
the verifier to produce signatures on the set elements, send them to the prover 
and then has the prover to show that he knows a signature (by the verifier) and 
the element he holds. Concretely, we employed the weak signature scheme by 
Boneh and Boyen in that section. We now discuss alternative solutions to the set 
membership protocol, i.e., essentially so that the whole protocol could be based 
on different assumptions. Due to space restriction we do not give all the details 
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here but only in the full version of this paper. However, the solution presented 
previously is the most efficient one, the alternatives discussed in this section are 
of similar efficiency. 

5.1 Using Alternative Signature Schemes 

The protocol that we presented in Section E3 required the prover to be able to 
prove the knowledge of a signature on a value that he has committed to, where we 
used Pedersen commitment scheme. Apart for the weak Boneh-Boyen signature 
scheme, there are other signature schemes that could be employed. In terms 
of assumptions, one notable alternative would be the one by Camenisch and 
Lysyanskaya j3| that is based on the strong RSA assumption. It is not hard to 
adapt the protocol given in Sectional to that signature scheme, in particular, as 
Camenisch and Lysyanskaya give protocols to prove knowledge of a committed 
value in their paper jjj . 

5.2 Alternative Protocol Using Cryptographic Accumulators 

The reasons why we employed a signature scheme in our set-membership pro- 
tocol is that the prover needed to show that he committed to a value for which 
he knows an authenticator without revealing that value or authenticator. Now 
it turns out that one can achieve exactly the same goal with cryptographic ac- 
cumulators with similar complexities. 

Recall cryptographic accumulators. A cryptographic accumulator is an algo- 
rithm that allows one to compress a list of elements into a single accumulator 
value. For each element there exists a witness attesting to the fact that the 
element is indeed contained in the accumulator value. For some cryptographic 
accumulator, there exists efficient proof protocols that allow a prover holding 
the element and the witness to prove to a verifier in zero knowledge that he 
indeed is privy to an element that is contained in the accumulator. Camenisch 
and Lysyanskaya have given an implementation of such an accumulator and a 
protocol that a committed value is indeed contained in the accumulator based 
on the strong RSA assumption jf|. 

Now the idea to build an efficient set-membership proof with dynamic accu- 
mulator is very similar to the signature based one: The verifier add each element 
in the set into the accumulator and sends the accumulator value to the prover 
together with the witness for each element. The prover then proves to the veri- 
fier that the value he has committed to is indeed contained in the accumulator 
produced by the verifier using the witness obtained for the verifier. This protocol 
is depicted in Appendix El for the SRSA-based accumulator. 
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A Accumulator Based Membership Proof 

A.l Cryptographic Accumulators and Proofs for Them 

Definition 4. A secure accumulator for a family of inputs {Xk} is a family of 

families of functions Q = {Tk} with the following properties: 

Efficient generation: There is an efficient probabilistic algorithm G that on input l k 
produces a random element f of Tk- Moreover, along with f, G also outputs some 
auxiliary information about f, denoted tf. 

Efficient evaluation: / 6 Tk is a polynomial-size circuit that, on input ( u , x) £UfX Xk, 
outputs a value v 6 Uf, where Uf is an efficiently-samplable input domain for 
the function f; and X k is the intended input domain whose elements are to be 
accumulated. 

Quasi-commutative: For all k, for all f 6 Tk, for all u 6 Uf, for all x\,x 2 € Xk, 
/(/(«, xi),x 2 ) = f(f(u,x 2 ),x 1). If X = (a!,..., x m } C Xk, then by f(u,X) we 
denote /(/(. . . (u,x i), . . .),x m ). 

Witnesses: Let v €Uf and x 6 Xk. A value w € Uf is called a witness for x in v under 
f ify = f{w,x). 

Security: Let U'f x X' k denote the domains for which the computational procedure for 
function f € Tk is defined (thus Uf C Uf, Xk C Xk). For all probabilistic 
polynomial-time adversaries Ak, 

Pr[/ - G(l fc ); u^Uf, (x, w, X) <- A k (f, U f , u) : 

Ac X k -,W eu'f,x e Xl,-x i X- f{w,x) = f{u,X)\ = neg(fc) 

Note that only the legitimate accumulated values, (xi, . . . ,x m ), must belong to Xk; 
the forged value x can belong to a possibly larger set X' k . 

Implementation Based on the Strong RSA Assumption. Here we recall 

the Camenisch-Lysyanskaya accumulator || . 

— Tk is the family of functions that correspond to exponentiating modulo safe-prime 
products drawn from the integers of length k. Choosing f G Tk amounts to choos- 
ing a random modulus n = pq of length k, where p = 2 p' + 1 , q = 2 q' + 1 , and 
p,p' ,q,q' are all prime. We will denote / corresponding to modulus n and domain 
Xa,b by f n ,A,B ■ We denote f n ,A,B by /„, or by / when it does not cause confusion. 

— Xa,b is the {e C primes : e ^ p',q' A A < e < B }, where A and B can be 
chosen with arbitrary polynomial dependence on the security parameter k, as long 
as 2 < A and B < A 2 . X' A B is (any subset of) of the set of integer from [2, A 2 — 1] 
such that Xa,b C X' a b . 
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Common Input: 
Prover Input: 


g, h, a commitment C, and a set § 
Sj,r such that C = g aj h T and Sj € §. 


p i «,§e<j y Verifier picks a safe prime product n = (2p + l)(2q + 1) and 
a random quadratic residues u, 0, f) modulo n, 
picks random m € {0, l} fc such that e; = s;2 fc + m are prime, 
computes 0 <— u 2 ^ ei mod n; ttii <— t) 1 / 64 mod n, 

sends n, u, 0, g, f), and § etI) <— {(si,ei,tt>i) (s n , e™, »„)} 

convinces the prover that g € (f)) 

(we will discuss the details separately below). 
p " y p rover picks n, r2, rz € {0, . . . , n2 e }, 

where i is a security parameter and 
sends 2U <— tUjU ri mod n, <— Q ri t) r2 mod n 
and £ <— g f j f) ' 3 mod n 

Prover and Verifier run 

PK{(a,/3,j,6,e,p,pi,p2,p3,(f>,£, v) : C = g a h p A 

£ = (g 2,, ) CT g M f) P3 (mod n) A SH = g pi f) p2 (mod n) A 
0 = (v)* 5 ( m °d n) A 1 — SR'g 15 !)^ (mod n) 

A p, 6 [— 2 fc_1 , 2 fc_1 ]} 


Fig. 5. Set membership protocol for set § 


- For / = f rl , the auxiliary information tf is the factorization of n. 

- For / = U f ={ue QR n :u=/= 1} and U' f =K . 

- For / = /(u, *) = mod n. 

Note that /(/(«, xi), X2) = f(u, {xi, X2}) = u XlX2 mod n 


A. 2 Membership Proof with Cryptographic Accumulators 

We are now ready to employ the accumulator for the membership proof which can be 
used as an alternative building block for our range proof presented in Section 0 

One complication that we have to deal with here is that the accumulator allows 
one to accumulator prime number only whereas our set is arbitrary bits strings. We 
thus need to encode a mapping. This can be done as follows. Let {si, . . . , s„} be our 
set, where we assume that the Si are integers. We let e* = Si2 k + Ui where it; < 
2 k < 2 k is selected so that e, is prime as k and k' are security parameters (we discuss 
them below). With this encoding, the verifier can accumulate all the ej’s and send 
the accumulator value, the e,;, and the corresponding witnesses to the prover. Now the 
prover has to prove that e, that corresponds to the s, in his commitment is contained 
in the accumulators. The resulting protocol is given in Figure IA.1I where we adapt the 
accumulator proof given by Camenisch and Lysyanskaya |y| to our setting. That is, we 
have to additionally prove that the correspondence between the ei and the committed 
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Si holds. For this to work, the prover need that show he knows some u, such that 
ei = Si2 k + m holds. Here it is of course important that this Ui be at most 2 k ~ 1 bits. 
This can be enforced efficiently provided that in reality Ui is a couple of bits smaller, 
i.e., k' bits, where in practice the difference should be about 300 bits for this to work. 
More precisely, we employ the first range proof discussed in Sectional 

Remarks: 1) We need to discuss how the verifier can convince the prover that g £ (f)) 
holds. One way to achieve this, is that the prover runs with the verifier the protocol 
PK{(a) : g = f)" (mod n)} using binary challenges. Another, more efficient, way is 
described by Bangerter et al.Q]. 

2) We note also, that for many applications, the parameters n, u, 0, g, f), and 

§eiu <— {(si,ei,tt>i) (s„, e„, tu n )} can be computed and published once and for all 

(possibly a trusted third party). In this case the computational complexity of our 
protocols becomes independent of the number of members in the set. 
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Abstract. This paper proposes preimage attacks on hash function 
HAVAL whose output length is 256 bits. This paper has three main 
contributions; a preimage attack on 3-pass HAVAL at the complexity 
of 2 225 , a preimage attack on 4-pass HAVAL at the complexity of 2 241 , 
and a preimage attack on 5-pass HAVAL reduced to 151 steps at the 
complexity of 2 241 . Moreover, we optimize the computational order for 
brute-force attack on full 5-pass HAVAL and its complexity is 2 254 ' 89 . As 
far as we know, the proposed attack on 3-pass HAVAL is the best attack 
and there is no preimage attack so far on 4-pass and 5-pass HAVAL. 
Note that the complexity of the previous best attack on 3-pass HAVAL 
is 2 230 . Technically, our attacks find pseudo-preimages of HAVAL by 
combining the meet-in-the-middle and local-collision approaches, then 
convert pseudo-preimages to a preimage by using a generic algorithm. 

Keywords: HAVAL, splice-and-cut, meet-in-the-middle, local collision, 
hash function, one-way, preimage. 


1 Introduction 

Cryptographic hash functions are important primitives to build secure schemes. 
A hash function takes arbitrarily long bit string and outputs a hash value with 
a fixed length. A hash function is required to satisfy the security properties such 
as collision resistance, 2nd preimage resistance, and preimage resistance. When 
the length of the hash value is n bits, a collision, a 2nd preimage, and a preimage 
should not be computed faster than 2"/ 2 , 2", and 2” operations, respectively. 

HAVAL PHj is one of the dedicated hash functions and has relatively long 
history. HAVAL is based on Merkle-Damgard construction, and its compression 
function is similar to MD5 P, The basic operation of HAVAL is done in 32 bits 
that is the same as MD5. Therefore, 32-bit values are called words. However, the 
interface of the HAVAL compression function is doubled compared to MD5, that 
is, the number of chaining variables and the message length of the compression 
function are 8 words and 32 words respectively. The nonlinear function of HAVAL 
takes seven words as input and outputs a word. So, one step of HAVAL only 
changes one word out of 8 words of the internal state. To satisfy several security 
requirements, HAVAL has three variants called a;- pass HAVAL ( x = 3,4,5). 
®-pass HAVAL consists of 32® steps. 

Due to the simple structure, there are several cryptoanalytic results on HAVAL 
as shown in the next paragraph. However, regarding the preimage attack, there is 
only one result on 3-pass HAVAL 0. In this paper, we propose preimage attacks 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 253-fin] 2008. 
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Table 1 . Comparison of preimage attacks on HAVAL 


Attack 

target 

Number of 

steps 

Attack type 

Previous 
work 0 

Our attack 

strategy 1* 

strategy 2 

3-pass 

96 (Full) 

Pseudo-preimage 

2 224 

2 253 

2 192 

Preimage 

2230 

2 225 

4-pass 

128 (Full) 

Pseudo-preimage 


2 254.43 

2 224 

Preimage 


2 241 

5-pass 

151 

(Steps 0-150) 

Pseudo-preimage 


Not evaluated 

2 224 

Preimage 


2 231 

160 (Full) 

Pseudo-preimage 


2254.89 

2^53.81* 

Preimage 




* This attack is a kind of brute force attack, but the computation is optimized. 


on HAVAL: the best attack on 3-pass HAVAL so far, the first attack on 4-pass 
HAVAL and 5-pass HAVAL. 

Known previous results except for the preimage attack are as follows: collision 
attacks on 3-pass HAVAL are discussed in Ref. j 1 21 1 llKilTfl , and those on 4-pass 
HAVAL are discussed in Ref. jlf>H7j . Note that a real collision has been generated 
up to 4-pass HAVAL. Theoretically, a collision of 5-pass HAVAL can be generated 
in 2 123 compression function evaluations m that is faster than the birthday 
paradox for 256-bit output. (Hereafter, we omit the unit of complexity whenever 
it is obvious and it is the number of “compression function evaluation.”) Non- 
randomness of 4-pass and 5-pass of HAVAL in the encryption mode is analyzed 
by Ref. [611 fi| . The security of the HMAC-HAVAL is analyzed by Ref. jS] • A 2nd 
preimage attack on 3-pass HAVAL and its application to HMAC-3-pass HAVAL 
are proposed by Ref. |Zj ■ However, this 2nd preimage attack is different from the 
one usually considered. In Ref. (HJ a useful statement to clarify the difference 
of these two types of 2nd preimage attacks is shown. The attack of Ref. [Zj can 
generate a 2nd preimage at the complexity of one compression function with a 
probability of 2 -114 for a given random message, and it requires the complexity 
of 2 128 with a probability of 1 — 2 -114 . Therefore, the average complexity is very 
close to 2 128 . Consequently, no result that produces a 2nd preimage of any given 
message is known. Moreover, no result is known on preimage attack on HAVAL, 
except for the recent result on 3-pass HAVAL Pj . 

1.1 Related Work Regarding Preimage Attack 

In 2008, a preimage attack on MD4 was proposed by Leurent 0. The attack 
first generates pseudo-preimages based on the Dobbertin’s pioneering work [11 , 
and converts a pseudo-preimage attack to a preimage attack by using the generic 
approach 0 Fact9.99JJ. Preimage attacks on step-reduced MD5 and full 3-pass 

1 The following works that compute a preimage from partial-pseudo-preimages also use 
this kind of conversion. The method of the conversion from partial-pseudo-preimages 
to a preimage is improved by using hash-tree [Sj and P 3 graph 0. 
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HAVAL are proposed by Aumasson et al. 0, whose approach is based on the 
meet-in-the-middle technique. Preimage attacks on full MD4 and 63-step MD5 
are proposed by 0 . whose approach is also based on the meet-in-the-middle 
technique. Note, both of m use the conversion algorithm of 0 Fact9.99]. 

In the meet-in-the-middle attack of Aumasson et al. 0, a compression func- 
tion is divided into the first half and the last half, and both computation results 
are compared in the middle. They also use new techniques that make the attack 
efficient by using the absorption properties of Boolean functions. On the other 
hand, Aoki and Sasaki propose new techniques to apply the meet-in-the-middle 
attack to not only the first half and the last half but also any two consecu- 
tive parts of a compression function 0. This paper combines the techniques of 
Ref. Jli2j ■ and attacks more passes of HAVAL. 

1.2 Our Contributions 

In this paper, we propose preimage attacks on 3-, 4-, and 5-pass HAVAL whose 
output length is 256 bits. First, we consider a strategy to find preimages of 3-, 4-, 
and 5-pass HAVAL faster than the brute force attack by a few bits (strategy 1). 
Second, we consider another strategy that can find a preimages of 3-, 4-, and 
5-pass HAVAL much more efficiently by combining techniques of P and 0 
(strategy 2). As a result of applying strategy 2 to each pass of HAVAL, we find 
the best preimage attack so far on 3-pass HAVAL by using the techniques of P , 
the first preimage attack on 4-pass HAVAL by combining techniques of 0 and 
0 , and the first preimage attack on step-reduced 5-pass HAVAL by combining 
techniques of 0 and 0 and further improving a technique of 0 . We summarize 
the results of the previous work and ours in Table 0 

Organization of this paper is as follows. Section 0 introduces the specification 
of HAVAL and techniques of existing attacks. SectionElgives two strategies of the 
preimage attack that can be applied to HAVAL and other hash functions whose 
message expansion is similar to HAVAL. Regarding the technique in Ref. 0 as 
an application of a local collision, we can compute preimages of a hash function 
that has more rounds. Section 0 describes attacks on HAVAL following the strat- 
egy 1. Section El describes attacks on HAVAL following the strategy 2. Finally, 
we conclude this paper in Section El 

2 Previous Works: Specification and Techniques for 
Preimage Attacks 

2.1 Description of HAVAL 

HAVAL is a hash function proposed by Zheng et al. in 1992, which compresses 
a message up to (2 64 — 1) bits into either 128, 160, 192, 224, or 256 bits. Since 
this paper only analyzes 256-bit version, we only describe the specification for 
256 bits. HAVAL iteratively computes a step function to compute a hash value. 
The number of steps is chosen from either 96, 128, or 160, where correspond- 
ing HAVAL algorithms are called 3-pass HAVAL, 4-pass HAVAL, and 5-pass 
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Table 2. HAVAL message expansion 


012345678 910111213141516171819 20 2122 23 24 25 26 2728 29 30 31 
51426181128 716 0232022 110 4 830 321 9172429 619121513 2253127 
19 9 4202817 8 22 2914 2512 24 3016 26 3115 7 3 1 0182713 621 102311 5 2 
24 4 014 2 7282326 63020182519 322113121 82712 9 129 51517101613 
27 3 2126171120 2919 012 713 831 10 5 9143018 62824 2231622 4 12515 


HAVAL, respectively. HAVAL has the Merkle-Damgard structure, which uses 
256-bit (8-word) chaining variables and a 1024-bit (32-word) message block to 
compute a compression function. 

An input message M is processed to be a multiple of 1024 bits by the padding 
procedure. A single bit T’ is appended followed by ‘0’s until the length be- 
comes 944 modulo 1024. At the last, 3-bit field representing a version number 
of HAVAL, 3-bit field representing the number of the pass used, 10-bit field rep- 
resenting the output length, and 64-bit field representing an unpadded message 
length are appended. 

Padded message M* is separated into 1024-bit message blocks (Mo, Mi , . . . , 
M„_ i). Let CF : {0, l} 256 x {0, l} 1024 — > {0, l} 256 be the compression function 
of HAVAL. A hash value is computed as follows. 

1 . H 0 ^IV, 

2. H i+ 1 <- CF(Hi, Mi) for i = 0, 1, . . . , n — 1, 

where Hi is a 256-bit value and IV is the initial value defined in the specification. 
Finally, H n is output as a hash value of M. 

Compression Function. The compression function H i+ \ <— CF(Hi,Mi) is 
computed as follows. 

1. Mi is divided into 32-bit message words m,j ( j = 0,1,... ,31). 

2. po <- Hi. 
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0 < j < 31 : fj( xe, xb, . . . , xo) = xiXi © *2X5 © X3X6 © xoxi © xo 
32 < j < 63 : fj(x 6, Xb, ■ ■ ■ , Xo) = £1X2X3 © X2X4X5 © X1X2 © X1X4© 

X2X6 © X3XB © £4X5 © X0X2 © xo 

64 < j < 95 : fj(xo,X 5 , . . . , xo) = £1X2X3 © X1X4 © X2X5 © X3X6 © X0X3 © xo 
96 < j < 127 : fj(x 6,2:5, . . . , xo) = £1X2X3 © X2X4X5 © X3X4X6© 

X1X4 © X2X6 © X3X4 © X3X5© 

£3X6 © X4£5 © £4X6 © X0X4 © Xo 

128 < j < 159 : /, (x6,X5, . . . , xo) = £1X4 © £2X5 © £3X6 © X0X1X2X3 © X0X5 © xo 
x a Xb represents bitwise AND operation. 

Fig. 2. Boolean Functions of HAVAL 
Table 3. Wordwise rotation of HAVAL 



3. Pj+i <— Rj(Pj, m-K(j)) for j = 0,1...., k, where k = 32x — 1 for x-pass. 

4. Output H i+ 1(= p k + Hi), where “+” denotes a 32-bit word-wize addition. In 
this paper, we similarly use ” to denote a 32-bit word-wize subtraction. 

Rj is the step function for Step j. Let Qj be a 32-bit value that satisfies 
Pj = (Qj- 7 \\Qj-e\\Qj- 5 \\Qj—i\\Qj- 3 \\Qj- 2 \\Qj-i\\Qj)- Rj for x-pass HAVAL 
(. x G {3, 4, 5}) is defined as follows: 

f T = fj o fajiQj-e, Qj-^Qj- 4, Qj- 3, Qj- 2, Qj- 1, Qj) 

\ Rj(pj,m v (j)) = (< Qj _ 7 ^ 11) + (T 7) + m n{j) + K Xtj 

where fj is a bitwise Boolean function defined in Fig. |3 faj is a word-wize 
permutation defined in Table BI Kj is a message expansion function defined in 
Table El n is n-bit right rotation, and K x j is a constant defined in the speci- 
fication. We show a graph of the step function in Fig. 0 Note that m x y)) 

can be computed in almost the same complexity as that of Rj. 


2.2 Converting Pseudo-preimages to a Preimage 

For a given hash value y, a pseudo-preimage is a pair of (x, M) such that 
CF(x , M) = y, where x may not equal to IV and CF is a compression function 
of a Merkle-Damgard hash function. There is a generic algorithm that converts 
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a pseudo-preimage attack to a preimage attack [01 Fact9.99]. Let the complexity 
of a pseudo-preimage attack be 2 k . The procedure of this attack when the hash 
value is n-bit long is as follows. 

1. Generate pseudo-preimages at the complexity of 2 k ■ 2^ n ~ k V 2 . 

2. Generate 2 < ' n+k ^' 2 messages that start from the IV, and compute their hash 
values. 

One of these hash values is expected to be matched. The complexity of this 
attack is 2 k ■ 2^~ k )/ 2 + 2 <"+ fe )/ 2 = 2 1 +("+ fe )/ 2 . 

This algorithm has been used in previous preimage attacks |8I2I1| . 


2.3 Preimage Attacks on 3-Pass HAVAL 

Aumasson et al. proposed two attacks that find a preimage of 3-pass HAVAL at 
the complexity of 2 230 , and the attacks require 16 x 2 64 words of memory [ 21 . 
Both attacks take an approach of the meet-in-the-middle attack. In this paper, 
we are particularly interested in the Attack A of their paper PI Algorithm 4]. 

In the Attack A of [21 Algorithm 4], the authors focused attention on the 
location of the message words 7715 and me, where me appears at Step 5, 32, and 
94 and me appears at Step 6, 55, and 89 as shown in Table m. First, chaining 
variables po to pe, where po is IV and Pi+i is the 256-bit output of the f-th step, 
are fixed so that the change of me in Step 6 is guaranteed to be absorbed by 
changing Q-i, which is the seventh word of the IV. Similarly, chaining variables 
P95 and pse are fixed so that the change of me in Step 94 is guaranteed to be 
absorbed by changing Qgg, which is the seventh word of pge ■ Due to this effort, 
computation for Step 0 to 47 becomes independent of me, and computation for 
Step 95 to 48 becomes independent of me- The authors of j2| and we call these 
independent words neutral words. 

Finally, the authors apply the meet-in-the-middle attack to find a pseudo- 
preimage of a given hash value H n = (H a \\H b \\H c \\H d \\H e \\Hf\\H 9 \\H h ). The 
rough sketch of the procedure is as follows. Refer to |2| for details. 

Algorithm 

1. Fix m x ,x ^ {5,6} and p y ,y £ {0, ... ,6,95,96} so that changes of me in 
Step 6 and of me in Step 94 are absorbed and po + pge = H n is satisfied 
except for Q_i + Q95 = H 9 . 

2. For all 64 bits of (me, Q-i), compute Pj+\ «— Rj(pj,m n /j\) for j = 0, 1 , 47, 
and store them in a table. 

3. For all 64 bits of (mg, Q95), compute p 3 <— R.J 1 (pj+i ■ rn w ^ ) for j = 95, 
94, ... , 48. Then, check if resulting p 48 are matched with p 48 s in the table. 

4. For all matched pairs, check if Q_i + Q95 = H 9 is satisfied. 

In the above procedure, the meet-in-the-middle attack saves the complexity of 
64 bits but step 4 of the procedure succeeds with a probability of 2 -32 . Thus, 
this attack is faster than the brute force attack by the factor of 2 32 . 

2 We number the first step as 0. 
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2.4 Preimage Attacks on MD4 and MD5 

Preimage attacks on MD 4 and MD 5 are proposed by Aoki and Sasaki D- They 
proposed a new technique called the splice-and-cut technique. 

Splice- and- Cut: Splice the last and the first step and divide the attack target into 
two chunks of steps so that each chunk includes at least one message word that 
is independent of the other chunk. Then, pseudo-preimages are computed by the 
meet-in-the-middle approach. 

Different from Aumasson et al. j 2 |, Aoki and Sasaki focused attention on the 
property that chaining variables in the first and last steps can be considered to 
be consecutive by the equation po = H n — pi ast . This idea enables them to start 
the meet-in-the-middle attack from any step. 

Aoki and Sasaki also proposes another technique named partial matching. 
This technique enables attackers to skip several steps when they search for good 
chunks in the attack target. Assume that one of divided chunks provides the value 
of where pi = (Qi-7\\Qi-6\\Qi-5\\Qi-4\\Qi-3\\Qi-2\\Qi-i\\Qi) and the other 
chunk provides the value of p*_ 4, where pj_4 = {Qi~ ll||Qi-lo||<2i-9||Qi-8||Qi-7|| 
Qi-6\\Qi- s||Qi- 4). Pi and Pi- 4 cannot be directly compared, however, a part of 
these values, that is, Qj_ 7, Qi-e-, Qi~ 5, and Qj_ 4 can be compared immediately. 
In such a case, we can ignore the value of m 7r (j_2), and m. 7r (j_4) 

when we perform the meet-in-the-middle attack. 

3 General Strategies of Our Preimage Attack 

3.1 Strategy 1: Speed Up the Brute-Force Attack 

This is a technique that enables us to quickly search for a message which con- 
nects a given initial value IV and a given hash value H n . The idea is to reuse 
an intermediate value of computation of a message when we compute different 
messages. Assume m a and mb form a local collision in the first round, that is, 
any change of m a can be offset by changing m?,, and these messages appear at 
Steps si,S2, (si < S2) in the second round. In this case, the computation result 
until Step si can be reused with all m a and corresponding mb- 

Moreover, since IV and H n are fixed, the values of chaining variables in 
the last round can also be reused. Let steps at which m a and mb are used be 
S3, S4. (S3 < S4). In this case, the computation result from Step S4 to the last 
can be reused. 

Notice, this technique can also be achieved by inserting local collision in the 
last round. 


3.2 Strategy 2: Finding Pseudo-preimages by the 
Meet-in-the-Middle Attack 

Combining the splice-and-cut and local-collision. The technique proposed 
by Aumasson et al. | 2 j is for finding a pseudo-preimage by applying the meet-in- 
the-middle attack that starts from the first step and the last step. On the other 
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Fig. 3. A local collision formed by the neu- 
tral words used by Aumasson et al. [2] 


Fig. 4. A long collision pass 
used in the splice-and-cut 
technique 


hand, the splice-and-cut and partial-matching techniques proposed by Aoki and 
Sasaki |Tj are for finding a pseudo-preimage by applying the meet-in-the-middle 
attack that starts from an intermediate step. We found that these two techniques 
can be combined together, and more steps might be attacked. 

Aumasson et al. use the fact that me is used near the first step, me is used near 
the last step, and corresponding chaining variables appear in the same equation 
for the computing hash value. We found that their technique can be used at not 
only the first and last several steps but also intermediate steps. 

Observation: The key idea of the attack is searching for message words that can 
form a local collision. In fact, their selection of message words can be considered 
as a local collision that starts with Step 9f and ends with Step 6. 

The graphical explanation is shown in Fig. 01 Cells denote 32-bit chaining vari- 
ables and highlighted cells denote chaining variables whose values are changed 
according to the selection of values of neutral words {me, me). The left diagram 
explains the attack procedure of Aumasson et al., and the right diagram de- 
scribes it in a different step order to show {me, me) forms a local collision. Note, 
in the splice-and-cut technique, the first and last steps are considered to be con- 
secutive by the equation po = H n — pge, which can be ignored when we analyze 
the dependency of message words. 

As you can see in Fig. E3 the technique of Aumasson et al. j2| can be inserted in 
any part of an attack target. Therefore, this can be combined with the splice-and- 
cut technique. For convenience, we call this technique local- collision technique, 
and we summarize the property of the local-collision technique. 

New technique 1. Local- Collision: When we search for chunks in an attack target, 
neutral words forming a local collision can be ignored. This occurs when neutral 
words appear {L + 1) steps away and other chaining variables can be guaranteed 
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Attack strategy on a four-round hash function 


Fig. 5. Attack strategies on a hash function with up to 4 rounds 


not to be affected by the local collision, where L represents the number of chaining 
variables (e.g. L = 4 for MD5. L = 8 for HAVAL ). 

Extension to use long collision paths. The local-collision technique de- 
scribed above can be extended to use a long collision path as shown in Fig. 0 
In HAVAL, the influence of changing can be offset by changing m 7r ( i+8 „), 
n > 1. In this case, m 7r ( i+8 fe), 1 < k < n can be any message word. We call 
m n(i+8k) uninvolved messages. As long as the meet-in-the- middle attack with a lo- 
cal collision such as the attack approach of Aumasson et al. is taken, neutral words 
can also be used as uninvolved messages. On the other hand, in our approach ex- 
plained in Section IF7~TT1 we use “meet-in-the- middle attack” which uses two tables 
but does not get the gain of the time-to-memory conversion. Thus, neutral words 
require to increase the complexity of about n/ (number of all steps), since we need 
to fix all variables within local collision steps before we perform the “meet-in-the- 
middle attack” . We also note that the changes of a 32-bit chaining variable corre- 
sponding to neutral words must be absorbed in the Boolean functions so that other 
chaining variables are not changed. Achieving this tends to be difficult if several 
message words appear twice or messages used as padding string appear in a local 
collision path. 

Number of rounds that can be attacked. The meet-in-the-middle attack 
works very efficiently if the message expansion consists of a permutation of mes- 
sage word order in each round like MD5 or HAVAL. In this section, we formalize 
how many rounds can be attacked. Attack strategies are also drawn in Fig. |S1 
We explain how to attack a hash function that has only one-round. Let us 
divide the attack target into the first half and the last half steps. In a round, 
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each message appears only once. Therefore, any pair of message words used in 
the first and second chunks are independent each other, hence they can be used 
as the neutral words. Finally, we perform the meet-in-the-middle attack between 
the first chunk including m a and the second chunk including mb . 

To attack a two-round hash function, we use the property that chaining vari- 
ables in the first and last steps can be considered to be consecutive. Let a pair 
of message words (m 0 , mb) appear in the first round in this order. In the second 
round, if mb is used in an earlier step than m a , the attack target can be divided 
into two chunks so that one chunk includes a neutral word m a and the other 
chunk includes mb- Therefore, a pseudo-preimage attack can be achieved by the 
splice-and-cut technique. 

A three-round hash function can be attacked by combining the splice-and-cut 
technique and one of the partial-matching or local collision techniques. Assume 
(m a ,mb) is a pair of message words that can be skipped by using the partial- 
matching or local-collision technique. In Fig. EJ skipped steps are indicated by 
parentheses. If the same strategy for the two-round attack can be applied in the 
rest of steps, a pseudo-preimage attack can be achieved. 

To attack a four-round hash function, we need to use all techniques. At the 
beginning of two chunks, we skip several steps by the local-collision technique, 
and at the end of two chunks, we skip several steps by the partial- matching 
technique. Both skipped steps need to include both neutral words. 

4 Preimage Attacks on HAVAL Following the Strategy 1 

We apply the general strategy 1 explained in Section 0 to all passes of HAVAL. 
The memory requirement of the attack is negligible. 

First, we consider a preimage attack on 3-pass HAVAL. According to the 
message expansion of HAVAL shown in Table 0 if we make a local collision from 
Steps 9 to 17, computation results for 77 steps out of 96 steps can be reused 
among different messages. The message word distribution for this attack is shown 
in Table 0 


Table 4. Message word distribution for fast brute-force attack on 3-pass HAVAL 


Step 

index 

012345678 

012345678 

reused 

9 10 11 12 13 14 15 16 17 
® 10 11 12 13 14 15 16 0 
local collision 

18 19 20 21 • ■ ■ 29 30 31 

18 19 20 21 ■ ■ ■ 29 30 31 
reused 

Step 

index 

32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 
5 14 26 18 11 28 7 16 0 23 20 22 1 10 4 8 30 3 21 
reused 

51 52 53 ■ • ■ 61 62 63 
® 0 24 • • • 25 31 27 

Step 

64 65 66 67 68 69 
19 ® 4 20 28 0 

70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 • • ■ 93 94 95 

8 22 29 14 25 12 24 30 16 26 31 15 7 3 1 0 ■ • • 11 5 2 
reused 
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The attack procedure is as follows: 

Attack procedure 

1. Fix 77229 , 77130 , and TO 31 to satisfy the padding for a 1-block message. 

2. Temporarily determine mg and 77117 , and determine chaining variables and 
messages mi, i ^ {9, 17, 29, 30, 31} so that Steps 9-17 form a local collisior0. 

3. Randomly determine other message words that are not specified yet. 

4. Compute Rj(pj,m for j = 0,1,..., 50 and compute R~ 1 (pj + i,m n ^) 
for j = 95, 94, ... , 70, where pge = H n — IV. Store the values of p .51 and pro 
in a table, where p 70 = (Qe3 1| Qe4 1 1 Qes 1 1 Qee 1 1 Qer 1 1 Qes 1 1 Qeo 1 1 Q 70 ) - 

5. For all 32 bits of mg, compute 77217 so that the value of Q is does not change. 

Then, compute Rj(pj, for j = 51, 52, . . . , 62 and check whether com- 

puted Q 63 is in the table or not. If it is in the table, compute Qes, . . ., Qro 
and check all values are matched. Otherwise, choose other mg and repeat 
this process. 

The complexity of the above procedure is 2 29 (= 2 3 * 32 • ||) and success probability 
of step Elis 2 _224 (= 2 _256 -2 32 ). Therefore, by repeating the procedure 2 224 times 
by changing the values of 777 *, 18 < i < 28, a message that connects a given IV 
and H n will be found at the complexity of 2 253 (= 2 29 • 2 224 ). 

On 4-pass HAVAL, the attack procedure is similar to 3-pass HAVAL. Applying 
local collision in the last round between Steps 102-110, the complexity of the 
attack is 2 256 - 128 -(i9+ 59 + 7 ) ~ 2 254 ' 43 . On 5-pass HAVAL, applying local collision 
in the first round between Steps 19-27, the complexity of the attack is 2 256 • 
160- (56+23+7) _ o254.89 
160 ~ Z 


5 Preimage Attacks on HAVAL Following the Strategy 2 

Our general strategy 1 can work for all passes of HAVAL, however, the efficiency 
is not so high. This section further reduces the complexity of preimage attacks 
by using the general strategy 2, which uses the meet-in-the-middle approach. 


5.1 A Preimage Attack on 3-Pass HAVAL 

We propose a preimage attack on 3-pass HAVAL, which finds a pseudo-preimage 
of 3-pass HAVAL at the complexity of 2 192 , and is converted to a preimage 
attack of the complexity of 2 225 . Thus, the resulting preimage is 2-block long. 
This attack uses the splice-and-cut and partial-matching techniques as shown in 
Table El 

The attack procedure for a hash value H n = (H a \\H b \\H c \\H d \\H e \\Hf \\H 9 \\ 
H h ) is as follows. 


3 How to determine the chaining variables and messages to obtain a local collision 

is explained in Section 13.21 A local collision for this attack can be obtained in the 

similar method. 
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Table 5. Message word distribution for 3-pass HAVAL 


Step 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 13 ■ 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 

31 

index 

© 

(D 

2 

3 

4 

© 

6 

7 

8 

9 

10 

O 

12 13 • 

21 

22 

23 

24 

25 

26 

27 

28 

29 

30 

31 


skip 











first chunk 











Step 

32 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

44 45 • 

•• 53 

54 

55 

56 

57 

58 

59 

60 

61 

62 

63 

index 

® 

14 

26 

18 

O 

28 

7 

16 

© 

23 

20 

22 

® 10- 

•• 24 

29 

6 

19 

12 

15 

13 

2 

25 

31 

27 




first chunk 








second 

chunk 







Step 

64 

65 

66 

67 

68 

69 

70 

71 

72 

73 

74 

75 

••• 83 i 

84 85 

86 

87 

88 

89 

90 

91 

92 

93 

94 

95 

index 

19 

9 

4 

20 

28 

17 

8 

22 

29 

14 

25 

12 

• •• 3 1 

® © 

18 

27 

13 

6 

21 

10 

23 

O 

® 

2 











second < 

;hunk 









skip 


Attack procedure 

1. Fix m 2 g,m 3 g, and 77131 to satisfy the padding for a 2-block message. 

2. Fix m i (i 0 {0, 1, 5, 11}) and P 40 to randomly chosen values. 

3. For all (mo, mi), do: pj + 1 <— Rj(pj,m n ^) for j = 40, 41, ... , 92. 

4. Make a table of (mo, mi, £> 93 , (H e —Qg 3 , H d —Qg 2 , H c —Qgi))s which are com- 
puted in the last step, where P 93 = (Q 86 ||Q 87 ||Q 88 ||Q 89 ||Q 9 o||Q 9 l||Q 92 ||Q 93 )- 

5. For all (ms, mu), 

(a) do the following: pj <— R^ 1 (pj + \pm lx ^) for j = 39, 38, . . . , 2, 
where, p 2 = (Q_ 5 ||Q- 4 ||Q- 3 1 | Q- 2 || Q-i || Qo || Qi || Q 2 )- 

(b) Check whether Q _ 5 , Q-4, and Q _ 3 are matched with H c —Qg\,H d —Qg 2 , 
and H e — Qg 3 in the table. 

(c) If they are matched, compute 7 ) 94 , P 95 , pge, Po, and pi by using the 
matched pairs, and check whether H n = p 0 + p g6 are satisfied. 

(d) If satisfied, the pair of corresponding message and po is a pseudo- 
preimage of H n . 

In the above procedure, the complexity of step 3 is 2 64 • || and the complexity 
of step E] is 2 64 • ||. After stepEEl 2 32 (= 2 128 ■ 2 -96 ) pairs are expected to be 
remained. After step El 2 128 (= 2 -160 ■ 2 32 ) pair are expected to be remained. 
Therefore, by repeating the above procedure 2 128 times, we expect to obtain a 
pseudo-preimage, where the complexity is 2 192 (= 2 64 -2 128 ). Finally, this pseudo- 
primage attack is converted to a preimag e att ack of the complexity of 2 225 by 
the generic approach explained in Section 12. Jl . Step H requires 13 x 2 64 words 
of memory and other steps require negligible amount of memory. 

5.2 A Preimage Attack on 4-Pass HAVAL 

We propose a preimage attack on 4-pass HAVAL, which finds a pseudo-preimage 
of 4-pass HAVAL at the complexity of 2 224 , and is converted to a preimage attack 
of the complexity of 2 241 . Thus, the resulting preimage is 2-block long. This 

4 Combination of the attack proposed by Aumasson et al. described in Section 12.31 
and P 3 graph proposed in |3j will be the preimage attack with a complexity of 2 225 . 
Moreover, following 0 Appendix], the complexity is further improved to 2 224 , but 
the length of the preimage message will be very long. 
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Table 6. Message word distribution for 4-pass HAVAL 


Step 

0 1 2 3 4 5 6 7 20 21 22 23 

0 1 2 3 4 © 6 7 ••• 20 21 22 23 

second chunk 

24 25 26 27 28 29 30 31 

© 25 26 27 28 29 30 31 

local collision (1-cycle) 

Step 

32 

© 

33 34 • • • 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 

14 26 • • • 30 3 21 9 17 © 29 6 19 12 15 13 2 25 31 27 

first chunk 

Step 

64 65 66 67 68 69 70 71 72 73 74 75 76 77 ■ • • 90 91 92 93 

19 9 4 20 28 17 8 22 29 14 25 12 © 30 ■ • • 21 10 23 11 

first chunk 

94 95 
© 2 
skip 

Step 

96 

© 

97 98 ■ • • 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 

4 0 22 11 31 21 8 27 12 9 1 29 © 15 17 10 16 13 

second chunk 


Table 7. Fixed values for preimage attack on 4-pass HAVAL 


step j 


Qi 7 

Qi 6 

Qi- 5 

Qi- 4 

Qi 3 

Qi 2 

Qi- 1 

Qi 

24 

@24 

0X7 

Cl 

c 2 

c 3 

c 4 

1 

0 

0 

25 

m 2 5 

Ci 

c 2 

c 3 

c 4 

1 

0 

0 

* 

26 

m 26 

c 2 

c 3 

c 4 

1 

0 

0 

* 

0 

27 

rri2T 

c 3 

c 4 

1 

0 

0 

* 

0 

0 

28 

77128 

c 4 

1 

0 

0 

* 

0 

0 

0 

29 

77729 

1 

0 

0 

* 

0 

0 

0 

C 5 

30 

77730 

0 

0 

* 

0 

0 

0 

C 5 

c 6 

31 

77731 

0 

* 

0 

0 

0 

c 5 

c 6 

c 7 

32 

@5 

* 

0 

0 

0 

Cs 

C 6 

c 7 

c 8 

33 


0 

0 

0 

c 5 

c 6 

c 7 

c 8 

Q&3 


Messages used for the padding string are underlined. 
Variables which we try all possible values are circled. 


attack uses the splice-and-cut, partial-matching, and local-collision techniques 
as shown in Table 0 

In this attack, we need to guarantee that the neutral words form a local- 
collision in Steps 24-32. This is achieved by fixing chaining variables so that 
the change of a chaining variable corresponding to both neutral words does not 
propagate through the Boolean functions. How chaining variables are fixed is 
shown in Tabled where, 0, 1, C,, and * denote 0x00000000, Oxffffffff, a 
fixed value, and a flexible value which depends on the value of neutral words, 
respectively. 

The attack procedure for a hash value H n = (H a \\H h \\H c \\H d \\H e \\Hf\\ 
H 9 \\H h ) is as follows. 

Attack procedure 

1. Randomly choose the values of Ci, . . . , C 5 , and fix the values of chaining 
variables denoted by Ci,...,Cs,0, and 1 in Table d 

2. Compute m* (i £ {25, 26, 27, 28}) by solving the step function. 
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3. Fix rn 29 ,m 3 o, and 77131 to satisfy the padding for a 2-block message. 

4. Compute Q 30 , Q 31 , and Q 32 by the step function. 

5. Randomly determine other message words that are not specified yet. 

6. For all ( 7715 , Qn), do the following: 

f p-j <- RJ 1 (pj+ 1 , for j = 23, 22, . . . , 0, 

< P128 <- H n - p 0 , 

{ Pj <- Rj 1 iPj + 1 > (i )) for j = 127, 126, . . . , 97. 

7. Make a table of (ms, Qi 7 ,P 97 )s which are computed in the last step, where 

P97 = (Q 90 IIQ 91 IIQ 92 IIQ 93 IIQ 94 IIQ 95 IIQ 96 HQ 9 T)- 

8. For all (m 2 4 , Q 33 ), 

(a) do the following: pj +1 *— Rj(pj, ra,(j)) for j = 33, 34, ... , 93, 
where, p 94 = (QstIIQss || Qs9|| Q 90 II Q 91 1| Q 92 HQ 93 II Q 94 )- 

(b) Check whether Q 94 , Q 93 , Q 92 , Q 91 , and Q<m are matched with those 
stored in the table. 

(c) If they are matched, compute pgs-Pae, and 7797 with the matched pairs, 
and check whether they are matched with those stored in the table. 

(d) If matched, compute Q 25 , which is denoted by * in Table Q by the step 
function for Step 24 with matched ( 77124 , Q 17 ) and by the step function 
for Step 33 with matched (ms, Q 33 ). 

(e) Check whether both results of Q 25 are matched. 

(f) If matched, the pair of corresponding message and po is a pseudo- 
preimage of H n . 

In the above procedure, the complexity of st ep E] is 2 64 - ^ and the complexity 
of stepIS^is 2 64 • After stepEEl 2 -32 (= 2 128 ■ 2 -160 ) pair is expected to be 
remained. After step E3 2 128 (= 2 -32 • 2 -96 ) pair is expected to be remained. 
After step [H3 2~ 160 (= 2 -32 • 2 -128 ) pair is expected to be remained. Therefore, 
by repeating the above procedure 2 160 times, we expect to obtain a pseudo- 
preimage, where the complexity is 2 224 (= 2 64 -2 160 ). Finally, this pseudo-primage 
attack is converted to a preimage attack of the complexity of 2 241 by the generic 
approach explained in Section I2~21 Step 0 requires 10 X 2 64 words of memory and 
other steps require negligible amount of memory. 


5.3 Notes on Preimage Attack on 5-Pass HAVAL 

A preimage attack on 5-pass HAVAL reduced to 151 steps 

5-pass HAVAL reduced to 151 steps, which use the first 151 steps of 5-pass 
HAVAL, can be attacked by using the almost same approach as the attack on 

4- pass HAVAL. In Table El Step 127 is a part of the second chunk that includes 
ms and is independent of mg a- According to the message expansion shown in 
Table 0 Steps 128-150 are independent from 77124 . Therefore, the attack on 4- 
pass HAVAL in the last section can also be applied to the first 151 steps of 

5- pass HAVAL. The complexity is almost the same, so we can find a pseudo- 
preimage at the complexity of 2 224 , and this attack is converted to a preimage 
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Table 8. Message word distribution for 5-pass HAVAL (full) 


Step 

0 1 2 3 4 5 19 20 21 22 23 24 25 

0 1 2 3 4 5 ••• 19 © 21 22 23 24 25 

second chunk 

26 27 28 29 30 31 
© 27 28 29 30 31 

Step 

index 

32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 ■ • ■ 63 

5 14 @ 18 11 28 7 16 0 23 © 22 1 10 4 8 30 3 • • • 27 

Step 

64 65 66 67 
19 9 4 © 

skip 

68 69 70 71 72 73 74 75 76 77 78 79 80 81 • ■ • 95 
28 17 8 22 29 14 25 12 24 30 16 © 31 15 •• • 2 
first chunk 

Step 

96 • ■ ■ 103 104 105 106 
24 ••• 23 © 6 30 
first chunk 

107 108 109 110 111 112 113 114 115 116 117 ■ ■ ■ 121 ■ ■ ■ 
© 18 25 19 3 22 11 31 21 8 27 ••• 29 ••• 
local collision (3-cycle) 

Step 

index 

128 129 130 131 
27 3 21 © 
local collision 

132 133 134 135 136 137 138 139 140 141 142 143 144 145 • • ■ 159 
17 11 © 29 19 0 12 7 13 8 31 10 5 9 ■ • ■ 15 

second chunk 


attack of the complexity of 2 241 , and requires 10 X 2 64 words of memory. Note, 
we experimentally confirmed that there is no selection of chunks that can attack 
more than 151 steps at the better complexity. 

A preimage attack on full 5-pass HAVAL 

As mentioned in Section 13.21 our attack works efficiently on a hash function 
with less than or equal to 4 rounds, but does not work on the one with more 
than 4 rounds. However, by combining the exhaustive search, we can find a 
pseudo-preimage at 2 253 ’ 81 . 

To attack full 5-pass HAVAL, we need to use all the techniques explained: 
splice-and-cut, partial-matching, and local-collision techniques. The selection of 
the chunks are shown in Table |B1 We stress that our computer search program 
did not find a pair of chunks that can be attacked with a 9-step local collision. 
This problem was solved by using a long collision path introduced in Section ESI 
To guarantee that the neutral words form a local-collision in Steps 107-131, 
we fix chaining variables as shown in Table 0 

1. Fix the value of chaining variables as shown in Table 0 and derive the 
corresponding messages by using the step function. 

2. Fix the value of message words that are not used inside the local collision 
steps. Note there is enough message space to find a pseudo-preimage. 

3. For all 2 32 values of Qios, compute a corresponding value of Qvi 4 - Store the 
result in a table named Table A. 

4. For all 2 64 values of ( m 26 , Qioo)> do the following: 

Pj <— for j = 106, 105, . . . , 68. 

Store (m 26 , Qioo ; P6s) in a table named Table B. 
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Table 9. Fixed values for preimage attack on 5-pass HAVAL 


Round | Step j 

m *U) 

Qj 7 

Qj-e 

Qi-i 

Qj 

Qj- 

Qj 

Qj - 1 

Qj 

4R 

107 

@20 

@100 

Ci 

c 2 

c 3 

1 

0 

1 

1 


108 

mis 

Ci 

c 2 

c 3 

1 

0 

1 

1 

*(< 2 l 08 ) 


109 

m 2 5 

c 2 

c 3 

1 

0 

1 

1 

* 

1 


110 

mig 

c 3 

1 

0 

1 

1 

* 

1 

1 


111 

07723 

1 

0 

1 

1 

* 

1 

1 

1 


112 

m 2 2 

0 

1 

1 

* 

1 

1 

1 

1 


113 

mn 

1 

1 

* 

1 

1 

1 

1 

0 


114 

m 3 1 

1 

* 

1 

1 

1 

1 

0 

1 


115 

(°m 2 1) 

* 

1 

1 

1 

1 

0 

1 

1 


116 

m s 

1 

1 

1 

1 

0 

1 

1 

*(Qiie) 


117 

077227 

1 

1 

1 

0 

1 

1 

* 

1 


118 

mi2 

1 

1 

0 

1 

1 

* 

1 

1 


119 

m 9 

1 

0 

1 

1 

* 

1 

1 

1 


120 

7721 

““ O - 

1 

— 

F 

1 

— 

1 

1 


121 

m 29 

1 

1 

* 

1 

1 

1 

1 

0 


122 

ms 

1 

* 

1 

1 

1 

1 

0 

0 


123 

(mis) 

* 

1 

1 

— 

1 

1 

0 

0 

0 


124 

mn 

1 

T~ 


T~ 

0 

d - 

0 

*(Ql 24 ) 


125 

mio 

T~ 

r~ 

1 

o - 

0 

0 

* 

0 


126 

mie 

T~ 

r~ 

cF 

0 

0 

* 

0 

0 


127 

mi 3 

1 

0 

0 

0 

* 

0 

0 

c 4 

5R 

128 

077227 

0 

0 

0 

* 

0 

0 

c 4 

0 


129 

07723 

0 

0 

* 

0 

0 

c 4 

0 

C 5 


130 

077221 

0 

* 

0 

0 

c 4 

0 

C 5 

c 6 


131 

@26 

* 

0 

0 

~ cT 

0 

c 5 

c 6 

C7 


132 


0 

0 

c 4 

0 

C 5 

c 6 

C 7 

@132 


Messages that appear twice are stressed with o. 
Uninvolved messages are written in parentheses. 


5. For all 2 64 values of (m^o, Q 132), do the followings: 

! Pj . |_i <— Rj(pj, Wti-q)) for j = 132, 133, .... 159, 

Po <— H n — pieo, 

Pj+i <- Rj(Pj> m it{j)) for j = 0, 1, . . . , 25. 

Store (TO20, Qi.32- Pie) in a table named Table C. 

6. For all 2 96 values of (to 26, Q100, m,2o)> do the followings. 

(a) Compute a value of Qios by using (TO20, Qiooj- 

(b) Find a value of corresponding Q124 by looking up Table A. 

(c) Compute a value of corresponding Q1.32 by using Qm and W26- 

(d) Find values of corresponding p^s and p-26 by looking up Tables B and C. 

(e) Compute skipped steps, which are Steps 26-67, by using (m-26, P26-m‘2o- 
P68)- 

(f) If skipped steps are matched, output corresponding messages. 

In the above procedure, steps 1 and 2 finish in negligible time. Step 3 takes 
the complexity of about 2 32 • j|q. Step 4 takes the complexity of 2 64 • -||j, and 
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step 5 takes the complexity of 2 64 • Steps EH to HI finishes in negligible time 

for each of (m26, QioO) wi2o)- Step El seems to take the complexity of 2 96 • 
but this can be easily improved to 2 96 • ^ by the partial-matching technique. 
Furthermore, the equation for computing Step 26 can be written as follows: 

Q27 <— rn ir (26) + (term independent from m n ^6))- 

Therefore, Step 26 can be computed in negligible cost compared to one step 
function, and thus, the complexity becomes 2 96 • After Step EH the number 
of matched message is evaluated as 2 _160 (= 2 -256 • 2 96 ). Therefore, by repeating 
steps 2 to 6 of the above procedure 2 160 times, a pseudo-preimage can be found 
at the complexity of 2 160 ■ 2 96 ■ ^ « 2 253 - 81 . Steps H and 0 require 20 x 2 64 
words of memory in total and other steps require negligible amount of memory. 
To apply the depth first search for steps FTHiol Table B or C can be removed and 
memory requirement becomes half. 

Notes on local collision shown in Table EJ In the local collision shown 
in Table El 7773,77121, and m2 7 appear twice. Therefore, we need to be careful 
so that all fixed values in Table El can be achieved. 77121 is used in Steps 115 
and 130. Since a message used in Step 115 is an uninvolved message, we can 
determine 77121 so that Step 130 is satisfied. We can ignore the influence to Step 
115. Regarding m3 and TO27, since they are used in Steps 129 and 128 whose 
outputs can be any value (Cg and C5), m3 and 77127 can be fixed so that Steps 
111 and 117 are satisfied. This local collision also includes 77129, which is involved 
to the message padding. Unfortunately, this local collision needs to fix 77129 to 
a unique value, since all input and output values of Step 121 are fixed. As a 
result, this attack cannot satisfy the message padding of 5-pass HAVAL. It is 
interesting that the uniquely fixed 77129 satisfies the message padding rules of 
MD5. Since the padding rules of HAVAL require to produce more information 
than those of MD5, for example output length and pass number, the fixed 77129 
does not satisfy the padding for HAVAL but satisfies the padding for MD5. 

6 Conclusion 

In this paper, we proposed preimage attacks on HAVAL. We considered two 
general strategies to find a preimage. The first approach is speeding up the brute- 
force attack. By this approach, we can reduce the complexity of preimage attacks 
by a few bits. The second approach is the meet-in-the-middle approach. We 
found that the techniques proposed by [I] and [2| can be combined to attack hash 
functions with more rounds than previous works. As a result, we found a pseudo- 
preimage attack and a preimage attack on 3-pass HAVAL whose complexities 
are 2 192 and 2 225 , a pseudo-preimage attack and a preimage attack on 4-pass 
HAVAL whose complexities are 2 224 and 2 241 , and a pseudo-preimage attack 
and a preimage attack on 151-step 5-pass HAVAL whose complexities are also 
2 224 and 2 241 . Moreover, we optimized the computational order for brute force 
attack on 5-pass HAVAL and its complexity is 2 254 - 89 . As far as we know, the 
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proposed attack on 3-pass HAVAL is the best attack and proposed attacks on 
4-pass HAVAL and 5-pass HAVAL are the first attacks. 
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Abstract. Many of the popular Merkle-Damgard hash functions have 
turned out to be not collision-resistant (CR). The problem is that we no 
longer know if these hash functions are even second-preimage-resistant 
(SPR) or one-way (OW), without the underlying compression functions 
being CR. We remedy this situation by introducing the “split padding” 
into a current Merkle-Damgard hash function H . The patched hash func- 
tion H resolves the problem in the following ways: (i) H is SPR if the 
underlying compression function h satisfies an “SPR-like” property, and 
(ii) H is OW if h satisfies an “OW-like” property. The assumptions we 
make about h are provided with simple definitions and clear relations 
to other security notions. In particular, they belong to the class whose 
existence is ensured by that of OW functions, revealing an evident sep- 
aration from the strong CR requirement. Furthermore, we get the full 
benefit from the patch at almost no expense: The new scheme requires 
no change in the internals of a hash function, runs as efficiently as the 
original, and as usual inherits CR from h. Thus the patch has significant 
effects on systems and applications whose security relies heavily on the 
SPR or OW property of Merkle-Damgard hash functions. 

Keywords: hash function, Merkle-Damgard, padding, second-preimage 
resistance, one-wayness. 

1 Introduction 

Most of the modern cryptographic hash functions follow a design principle called 
the Merkle-Damgard construction. A main feature of such a hash function is that 
its collision resistance (CR) is guaranteed by that of its underlying compression 
function |2 1 I8| . yet unfortunately popular hash functions MD5 j2HJ and SHA- 
1 123 are now shown to be not CR , hence losing the CR of their respective 
compression functions. These attacks have a profound impact on current systems 
using hash functions, not to mention those applications whose security is entirely 
based on the CR property of their hash-function components. 

The loss of CR also exerts a strong influence on schemes whose security de- 
pends on the second-preimage resistance (SPR) or one-wayness (OW) of Merkle- 
Damgard hash functions. This is due to the fact that the SPR or OW security 
of such a hash function is hitherto ensured only by its CR (Recall that SPR is 
immediately implied by CR m and that OW is also implied by CR as long as 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 272 4289,1 2008. 
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the hash function is “uniform” j20| or “sufficiently compressing” [TTT| 1 . Now that 
the popular hash functions are not CR, we lose our proof-based assurance of the 
SPR and OW properties for these hash functions. To summarize: 

We have no guarantee whatsoever of the SPR or OW prop- 
erty for a Merkle-Damgard hash function without CR by its 
underlying compression function. 

This is the main problem we explore in the paper. We come up with a solution 
by first making a slight modification to the design of current hash functions. 
The change is fully compatible with a standard Merkle-Damgard interface. We 
then show that the patched hash functions indeed accomplish SPR and OW, 
assuming weaker-than-CR properties of the underlying compression functions. 

Obtaining Upper-Bound Results for SPR and OW. A more direct way 
to overcome our problem in hand is to analyze exactly what sorts of properties 
the underlying compression function must possess in order to ensure the SPR 
and OW security of the Merkle-Damgard construction. |2fill ()j takes this ap- 
proach and identifies complexity assumptions about the underlying compression 
function, which assure the SPR or OW property of the whole hash function. 
However, they do not consider the non-randomness involved in the padding or 
length-encoding bits. 

Rather, we treat the problem of padding and length-encoding bits in detailQ 
The importance of these bits are already pointed out by jlSI4j . We then come 
up with simple formulations of the complexity assumptions about the compres- 
sion function, showing that these assumptions are indeed weaker than the CR 
requirement. 

Need for SPR and OW Hash Functions. CR, SPR and OW are the three 
classical requirements for security of keyless hash functions (, e.g ., |H2E3). We 
already know that the notion of CR plays an important role in designing cryp- 
tographic schemes. However, there are situations in which CR is not necessarily 
required but SPR or OW is essential to the security of systems. For example, 
adversaries might be unable to control input data to the hash function, say by 
protocol specification or by the fact that inputs are encrypted under a secret key 
before hashing. 

A CR hash function may not be best suited to above scenarios due to its large 
hash size. Recall that for n-bit security the hash size of a CR hash function needs 
to be (at least) 2 n bits. Suppose we want to use an SPR hash function with n-bit 
security. If the SPR security of hash functions were guaranteed only by their CR, 
then we would have needed to use a 2n-bit hash function, whereas we could just use 
an n-bit hash function if the SPR security is directly guaranteed (not via its CR). 

Our Results. We apply a patch to the Merkle-Damgard construction so that the 
SPR and OW properties are now guaranteed by certain reasonable and simple 
assumptions about the compression function. 

1 On the other hand, we assume that messages are distributed uniformly at random, 

which may not hold true in some of the practical applications, as pointed out by 0 . 
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Split Padding. This is the patch. The new scheme works exactly the same as 
the original hash function except for the very end; the split-padding method 
alters processing of the last two blocks of a message. Message expansion is 
minimal, requiring at most one extra block (and such a case is rare). The new 
scheme is compatible with fixed-IV (initialization vector) usage and Merkle- 
Damgard strengthening. It can also handle a message in stream by delaying 
processing and buffering the two most recent blocks of the message. 

CR Preservation. There is “nothing to lose” by applying the patch. Namely, 
we show that the CR preservation property of the original Merkle-Damgard 
construction is still in action with our new scheme. This motivates us to apply 
the patch to the systems whose hash functions are still CR ( e.g ., SHA-256). 

SPR Guarantee. This is one of the main features of our new mode of operation. 
The entire hash function can be proven SPR based on the assumption that 
the underlying compression function satisfies a property we call “cs-SPR” 
(chosen-suffix SPR). 

OW Guarantee. This is the other main feature of the new construction. We 
show that the OW security of the entire hash function is ensured by the “cs- 
OW” (chosen-suffix OW) property of the underlying compression function. 

Justification for cs-SPR and cs-OW. We give the rationale behind our choice of 
these assumptions by demonstrating their relationships with several known 
versions of SPR and OW properties. In particular, we show that these as- 
sumptions are strictly weaker than the strong CR requirement, by proving 
that they belong to the class whose existence is guaranteed by that of an 
OW function. 

Without Random Oracles. We avoid use of random oracles in our proofs of 
security. The proofs of the SPR and OW properties are conducted in the 
standard model, following the concrete-security-reduction methodology. For 
the proof of CR preservation, we adopt the “human-ignorance” approach 
developed by Pi- 

Organization of the Paper. In Sect.|2|we review previous work related to the 
topic. Section 0 provides necessary definitions for the security of hash functions. 
In Sect. 0 we give a description of our patch “split padding.” The proofs for 
the CR, SPR and OW properties of our scheme are given in Sect. 0 0 and 0 
respectively. We analyze the assumption cs-SPR in Sect. EJ followed by a simi- 
lar analysis of cs-OW in Sect. 0 Section EJ presents certain application of our 
scheme. 

2 Related Work 

Merkle-Damgard Construction. j2] points out that the SPR or OW as- 
sumption about a compression function alone is not sufficient for the SPR or 
OW property of its Merkle-Damgard iteration. PI observes that the use of a 
fixed IV precludes the trivial “truncation” or “free-start” SPR attack and that 
Merkle-Damgard strengthening ( i.e ., length encoding in the final block) appears 
to defeat “long-message” SPR attacks. Then later it is shown that birthday-type 
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SPR attacks are still possible on the Merkle-Damgard construction isna, dis- 
proving the effectiveness of Merkle-Damgard strengthening against long-message 
SPR attacks. 

Keyed (Randomized) Hash Functions. Hash functions in theory are often 
in the dedicated-key setting 0 . m describes seven security notions in such a 
setting: Coll, Sec, eSec, aSec, Pre, ePre and aPre. ROX j2| is a powerful mode of 
operation that preserves all the seven properties of the underlying compression 
function. Since aSec and aPre correspond with SPR and OW in the keyless 
setting, ROX can be used with its keys fixed, thereby as a keyless hash function. 
Unfortunate aspects of ROX are that it requires major modifications to the 
design of current hash functions and that its security is based on the use of 
random oracles. 

BCM |3| achieves Coll, Sec and Pre properties with its proof of Sec security 
conducted in the standard model (That of Pre is in the random oracle model). 
However, aSec property is not achieved, and hence BCM is not suited to our 
keyless setting (BCM construction yields a keyed, Sec-secure hash function, and 
the keys cannot be fixed because it does not assure aSec) . 

There exist a number of domain-extension constructions for eSec(=TCR, 
UOWHF). Prominent one is the Randomized Hashing jTTTj . The Randomized 
Hashing has a close connection with our split padding, cf. Sect. ITTil 
SPR and OW Attacks on Specific Hash Algorithms. MD4 is now 
shown to be not OW (T^j. The attack first finds “pseudo-preimages” for the com- 
pression function and then extends them to the entire hash function, studies 
the SPR and OW properties of the Snefru, being already aware of the importance 
of padding scheme to these security notions. 

Other Weaknesses of Merkle-Damgard Construction. It has been pointed 
out that there exist a number of properties that the Merkle-Damgard construc- 
tion does not achieve. These include multi-collisions [Ei, herding attacks jTHj . 
indifferentiability [Z| and balance (SJ- It is certainly not the purpose of our con- 
struction to achieve these goals. Rather, we focus on the classical three notions 
of CR, SPR and OW. 

3 Definitions 

Notation. Given a finite bit string x € (0, 1}* we define |a;| as the bit length of x. 
The notation x\ \\x -2 represents the concatenation of two strings x-y . x -2 G {0, 1}*. 
We write [■] for the ceiling function. By x 4- X we indicate the operation of 
selecting an element uniformly at random from the set X and assigning its value 
to variable x. We write 0" for the bit string 00 • • ■ 0 (n times). 

Given a function / : X — > Y, we say that a pair ( x , x') G X x X is colliding 
with respect to / if /( x) = f(x') and x ^ x'. We write x rxif x', or simply x ix x', 
to indicate the fact that x and x ' are colliding. Similarly, given a keyed function 
fk’.X^Y we write ( k,x ) ixi/ ( k',x ') when fk(x) = fk'{x') and ( k,x ) ^ ( k',x '). 
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Algorithm MD -strengthening (y) 

101 Set y <- [(|y| + 1 )/{m - n)] 

102 Divide y = y[\] || • ■ • || y[y - 1] || y[rj[ 

so that |y[l]| = ■•■ = |y[r?-l]| = m - n and 0 < \y[rj\\ <m-n- 1 

103 If \y[y]\ <m-n-a- 1 then z y||10 ro - n -' r - 1 - |! ' [,,ll || (|y|) Endlf 

104 If \y[rf[\ > m — n — a then z y||10 m_n_1_ l , '^||0 m_ " _o ’|| (|y|) Endlf 

105 Output z 

Algorithm MD -iteration (z) H Accepts only z with \z\ being a multiple of m ■ — n 

201 Set C «- W/(m - n) 

202 Divide z = z[l] || ■ • • || z[£] so that |z[l]| = • ■ • = |z[£]| =m — n 

203 Set n[0] <- /!/; For i = 1, . . . , C do n[z] h(z[i\ || v[i - 1]) EndFor; Output u[C] 


Fig. 1. Definitions of functions MD -strengthening and MD-iteration 


An adversary A is a probabilistic algorithm that takes inputs. An adversary 
A may often be a pair of such algorithms, as A = (Ai, A 2 ). We write y •*— A(x) 
to mean that adversary A outputs a value upon its input x, the output value 
being assigned to variable y. 

Merkle-Damgard Construction. Throughout the paper we fix a compression 
function h : {0, l} m — > {0, 1}" with m > n. We also fix a value IV e {0, 1}”. We 
choose a length-encoding function (•), which takes an integer as its input and 
returns a cr-bit representation of the input value (A typical value of a is 64). 
This restricts message lengths to a maximum of 2°' — 1 bits. Hence, the domain 
of the hash function should be written as {0, l}- 2 -1 formally, but for simplicity 
we write {0, 1}* to indicate the message space. Now the Merkle-Damgard hash 
function H : {0, 1}* — > {0, 1}” is defined as 

H(x) = f MD-iteration (MD-strengthening{x )) , 

where the functions MD-strengthening and MD-iteration are as described in 
Fig. UPl We adopt the convention that on empty input (i.e., null string) function 
MD-iteration returns the value IV. 

Let z and z' be two strings whose lengths are multiples of m — n bits. Divide 
them into (m — n)-bit blocks as z = z[l] || • • ■ || z[C] and z' = z'[l] || ■ • • || z'lC']- 
Suppose MD-iteration (z) = MD- iteration (z') and z ^ z! . We define 

index (z, z r ) d = f j ^ ^ 

where i is defined to be the largest integer in {1,2, ...,£} such that follow- 
ing (i), (ii) and (iii) hold: (i) MD-iteration (z[ 1] || ••• || z[i]) = MD-iteration 

2 For a technical reason we deliberately define the iteration as h(z[i] || v\i — 1]) at 
line 203 rather than as h(y\i — 1] || z[i]) . 
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Table 1. Complexity assumptions about keyless compression function 
h : {0, l} m -*■ {0, 1}" 


(Alias) 


Game 


fp-CR (c-SPR EH|) 

X 4- 

- {0, 1} M , (a, x') <— A{x), a 

i||a x' 

cs-SPR (a, St) 


{0, 1} M , x' <— A 2 (x, St), i 

5||a ixi x' 

SPR (weak CR) 


x 4- (0, 1}-, a/ A(x) 

,x\kx' 

cs-OW (a,St) < -A 1 (.),x4- 

{o,ir, v<- 

h(x\\a),x'^A 2 (v,St),v 

= h(x') 

ks-OW (partial OW |2SI) 




a A{ 0,1}—*,* 

-{o, i r,v- 

^h(x\\a),x'^A(a,v),v 

= h(x') 

OW (preimage resistance) 

x {o, i} r 

n , v <— h(x), x' <— A(y), v 

= h{x') 


(«'[!] || • ' ' || *'[*])> (ii) 4j\ = Z '\J] for a11 3 >i + !, (iii) Either z[i] ± z'[i\ or 
MD-iteration (,z[l] || • • • || z[i - 1]) / MD-iteration (V[l] || • • • || z'[i - 1]). 

Complexity Assumptions about Keyless Compression Functions. Ta- 
ble □ lists six notions of security for the compression function h : {0, l} m — ► 
{0, 1}". Here we have a fixed security parameter 1 < /r < to. A typical value 
of ji is /j, = n/2 or /i = n. Of the six notions, the two most important ones 
in the current work are cs-SPR and cs-OW, because these are the assumptions 
that we make about the underlying compression function h. Others are fp-CR 
(forced-prefix CR, cf. |SS|), SPR, ks-OW (known-suffix OW) and OW. These 
four appear in the list only for the purpose of analyzing the nature of cs-SPR 
and cs-OW in Sect. |BI and EJ respectively. 

The notion of cs-SPR is a variant of SPR where a suffix is chosen by adver- 
saries. Informally, the game of cs-SPR for the compression function h : {0, l} m — > 
{0, 1}” proceeds as follows: First a suffix a of a given length is chosen by an ad- 
versary, and then a challenge x of a given length is randomly drawn and shown 
to the adversary. The goal of the adversary is to find a second preimage x' ^ x\\ a 
such that h(x\\a) = h(x'). Here we emphasize that the adversary is required to 
commit on the value a before observing the challenge x. 

Security Goals for Keyless Hash Functions. Our SPR and OW goals for 
a hash function H : {0, 1}* — > {0, 1}" is formalized in Table 0 Note that an 
adversary can choose the challenge length A > /r at the beginning of each game. 
Also note that the adversary’s response x' may be of length different from A. 
Security Notions for Keyed Function Family. We utilize four notions, Coll, 
eColl (enhanced Coll), TCR (target collision resistance) and eTCR (enhanced 

Table 2. Security goals for keyless hash function H : (0, 1}* — > {0, 1}" 


SPR (A, St) <- Ai(-), * {0, 1}\ x' <- A 2 (x, St), x & x' 

OW (A, St) <- Ai(-), x (0, 1} A , V <- H(x), x' <- A 2 (v, St), v ^ H(x') 
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Table 3. Security notions for keyed function family ip^ : {0, l} m — > {0, 1}" 


(Alias) 

Game 

Coll 

k±K, (®,a A(fc), (k, x) & (fc, x') 

eColl 

kt-K, (x, k', x') <r- A{k), (k, x) & (k', x') 

TCR (eSec, UOWHF) 

(x, St) -4- Ai(-), k 4- K, x' <- A 2 (k, St), {k, x) cxi (k, x') 

eTCR 

(x, St) <— Ai(-), kt-K, (k',x')^A 2 (k,St), (k,x)tk(k',x') 


TCR) for analyzing cs-SPR in Sect. 03 See Table 01 The notion of eColl appears 
to be new. 

Advantage Functions and Adversarial Resources. For a CR-like or SPR- 
like goal, we define the advantage function of an adversary A as Adv® oal (A) = f 
Pr[>a holds], where / is the target function (h, H, etc.). Similarly, we define 
Adv® oal (A) = f Pr[— holds] for an OW-like goal. The probabilities are over 
all coins defined in game and used by A. We fix a model of computation and 
measure the time complexity of adversaries. The time complexity of an adver- 
sary is the time for execution of its overlying game plus its code size. We let 
time ( h ) denote the time complexity necessary for one computation of h. Define 
Adv® oal (t, i) = f max 4 Adv^ oal (A), where max runs over all adversaries A, with 
its time complexity being at most t, with A, |St| and \x'\ each being at most i 
blocks. A “block” is m — n bits, t may be omitted from the notation if irrelevant 
in the context. 

4 How to Insert Split Padding 

Our new hash function H operates exactly the same as the original hash H 
except for the last two blocks of messages. More precisely, the new hash function 
is defined as 

H(x) = H (split- padding (x)) , 

with a plain Merkle-Damgard hash function H : {0, 1}* — > {0, l} n . The definition 
of split-padding is given in Fig. El along with a pictorial representation in Fig. 0 
The basic idea of the “split padding” method is to make sure that every block 
input to the compression function h has at least p bits of a message @ rather than 
being entirely padding bits or length-encoding bits. Indeed, when combined with 
split-padding, the function MD -strengthening never invokes line 104 of Fig. 0 
For this mechanism to work, we need to impose a condition a+l + 2p < m — n 
on h : {0, l} m — * {0, 1}". As long as this condition is fulfilled, the algorithm 
split-padding is well-defined. Also observe that no message bits are shared across 
the blocks. We will come back to this issue after proving the following basic result. 

Proposition 1. The function split-padding is one-to-one (i.e.. injective). 

3 Of course, here we are assuming that the message is at least p bits long to begin 
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Algorithm spiit-padding(x) 


301 

Set £ <- KM + l)/(m-n)l 


302 

Divide x = x[l] || || - 1) || x[£] 



so that |x[l]| = • • • = |®[^ — 1] | =m — n 

and 0 < <m — n — l 

303 

If p < |:c[£]| <m — n — o — 2 then pad -plain Endlf 


304 

If |a;[£]| < p — 1 then pad -with -borrow Endlf 


305 

If |*[?]| >m — n — cr — 1 then pad -with -carry Endlf 

306 

Output y 


310 Subroutine pad-plain 


311 

Put y <- a;||0 


320 Subroutine pad -with -borrow 


321 

If £ > 2 then divide a:[£ — 1] = — 1] || brw 



so that \brw\ = p 

and |i[£ — 1] =m — n — p 

322 

Set *[£] <- brw\\x[£\ 


323 

Put y <— x\l] || ■■■II ®K-2] ||®K-1] || 10"-' || 

m II 1 En dlf 

324 

If £ = 1 then put y <— *[1] || 1 Endlf 


330 Subroutine pad -with -carry 


331 

Divide *[£] = 5[^] | cry so that cry = p and z[£]| 

= N£]|-m 

332 

Set + 1] <— cry 


333 

Put y - x[l] || ■ ■ • || - 1] || i£] || 10— 

II *[e+i] 111 


Fig. 2. Description of “split padding” algorithm 

Proof. Let x. x' £ {0, 1}*. We want to prove that the equality split-padding(x) = 
split-padding(x') implies x = x' . So suppose we have x and x 1 such that the 
condition split-padding(x) = split-padding(x') holds. Set y <— split- padding (x) 
and y' <— spiit-padding(x'). Divide y = in||6 and y' = w'\\b' so that |6| = \b'\ = 1. 
The equality y = y' tells us that b = b' and w = w' . 

Case A: b — b' — 0. In this case we know that both y and y' come from 
pad -plain. Hence, we must have x = w and x' = w', which yields x = x' . 
Case B: b — b' — 1. We observe that in this case both y and y' originate from 
either pad -with -borrow or pad -with -carry . We divide the case according to 
the size \y\ = \y'\. 

Case Bl: \y\ — \y'\ < m — n. Note that pad -with -carry always produces 
more than or equal to two blocks of output, which implies that both y 
and y' must have been processed through pad -with -borrow in this case. 
Consequently, we get x = w, x' = w' and x = x' . 

Case B2: \y\ — \y'\ > m — n. Put rj <— |"(|y| + l)/(m — n)]. We must 
have rj > 2. Divide y = y[ 1] || ••• || y[y - 1] || y[rj\ and y' = y'[ 1] || 
••• II y'[v- 1] II y'[v], SO that |y[l]| = ••• = \y[y- 1]| = |y'[l]| = ••• = 
ty[v- !]| = m — n. Recall that pad -with -borrow sets the last block to 
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Fig. 3. Split padding: “plain” (top), “borrow” (middle) and “carry” (bottom), 
combined with MD -strengthening. Note that the last 10*||(|y|) comes from 
MD-strengthening, not from split-padding. 10* means 10 • • • 0 with an appropriate num- 


a length between p+1 and 2/j bits, whereas pad -with -carry always sets 
the last block to a length of p + 1 bits. Now we further divide the case 
according to the value \y[r]]\. 

Case B2a: j/[t/]| — |y'[T7]| > ft + 2. This case assures that both y 
and y' originate from pad -with- borrow . It means that we can write 
y[r] — 1] = y[y — 1] || HF”" 1 and y' [y — 1] = y'[r) — 1] || 1(F _1 . We can 
also write y[r]] = y[r)] || 1 and y'[rf\ = y'\rj\ || 1. Therefore, we obtain 

x = y[i] || ••• || y[v~ 2 \ || y[y- 1 ] || y[y], 

x ' = y '[ !] || • • • || y'[n - 2] || y'ln - i) || y'M, 

which immediately implies that x = x'. 

Case B2b: \y[rj] — \y'[rj\ — // + 1. There are multiple possibilities 
in this case: y and if may come from either pad -with -borrow or 
pad -with -carry . To identify the case, we further divide y[y — 1] = 
y[y— 1] || 10" and y'[y— 1] = y'[r]— 1]||10“ for some integer a. Observe 
that pad -with -borrow always sets a = p — 1, whereas pad -with -carry 
sets a > p. Hence, by looking at the value a we see that either 
(i) both y and y' are from pad -with -borrow, or (ii) both y and y' are 
from pad -with -carry . Write ^[77] = ^[77] || 1 and y'[rf\ = y'[rf\ || 1. We 
see that 


x = y[ i] II ••• II y[v~ 2 \ II vtn- 1 } II vM, 
x ' = y'l 1 ) II • • • II i/lv - 2 ] II y'bi - 1] || y'lvl 


which gives us the desired equality x = x'. 
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Thus, we have shown that split-padding (x) = split-padding(x') always implies 
x = x'. This proves the injectivity of the function split-padding. □ 

On the Constraint er + 1 + 2 p < m — n. We need to impose this constraint 
on the underlying compression function h. Thanks to the constraint, every block 
ends up containing at least p bits of a message after the split-padding procedure. 

The constraint is necessary for handling the last block properly. Recall that 
the subroutine pad -with -borrow produces the last block with a length at most 
p + p — 1 + 1 = 2/z bits. The subroutine pad -with -carry produces the last block 
with a length always equal to p + 1 bits. The constraint guarantees that the 
last block of either type, padded with MD-strengthening , fits neatly in a single 
block. The subroutine pad-plain by definition handles only the case when the 
last block fits in one block. 

The constraint also guarantees that the second last block contains at least 
p bits of the message. This holds true for pad -plain, pad -with -borrow and 
pad -with -carry . 

The constraint is not problematic as long as we are dealing with MD5 or 
SHA-1 with p = n/2 or n = p. It puts an obstacle in the way of using SHA-256 
with o = 64 and p = 256. In such a case we are limited to setting the value of 
p only up to p < 223. 

5 CR of Merkle-Damgard with Split Padding 

We follow the “human-ignorance” approach developed by m for formalizing 
the notion of CR. 

Proposition 2. Let H : {0, 1}* — * {0, 1}" be the Merkle-Damgard hash function 
with split padding constructed of a compression function h : {0, l} m — > {0, 1}". If 
there exists an explicitly- given adversary that finds a pair of colliding messages 
for H with a probability e, spending time complexity at most t, each message 
being at most l blocks, then there exists an explicitly- given adversary that finds 
a collision for h with a probability e, spending time complexity at most t' « 
t + 2t- time ( h ) . 

Proof. This statement immediately follows from the injectivity of split-padding 
and the well-known CR reduction of the plain Merkle-Damgard iteration 

fTTlRl . □ 

6 SPR of Merkle-Damgard with Split Padding 

In this section we prove that the patched hash function H is SPR assuming that 
the underlying compression function h is cs-SPR. After proving our result, we 
also discuss the birthday bound implied by the reduction. 
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Adversary B 

410 Run A = (Ai, A2) and obtain a bit length (A, St) <— Ai(-) // X > p 

411 Generate a random message x <— {0, 1} A 

412 Put z <— MD-strengthening(spiit-padding{x)) 

413 Divide z = z[l] || z[ 2] |j( •••}( so that \z[l]\ = \z[2]\ = • ■ • - |4£f|,*= m - n 

414 Choose an index i 4- {1, 2, . . . , £} 

415 Compute v[i — 1] <— MD-iteration fy[l] || z[ 2] || • • • || z[i — 1]) 

416 Divide z[i] = a ||/3 so that |a| = p and \/3\ = m — n — p 

420 Submit (3\\v[i — 1] as a committed suffix and receive a challenge x 6 {0, l}' 1 

421 Put w <— (MD -strengthening o split-padding) -1 (z[l] || ■ ■ ■ 

•••|| *[*- 1] || x ||/3 || z[i + l] || •••II z[ C]) 

430 Feed w and St to A 2 and obtain a second preimage x <— A2(w, St) 

431 Put z <— MD-strengthening [split- padding {x')) 

432 Divide z' = #'[1] || • • ■ || z'[C,'] so that |*'[1]| = • • • = |2 , [C , ]| = m — n 

433 If C 7^ C then u'[C' — 1] <— MD-iteration (z'[ 1] || z'[ 2] || • • ■ || z'[C,' — 1]) 

434 x* <- z'[C] || i/[C' - 1] Endlf 

435 If C = C 7 then v'[i — 1] *— MD-iteration (z'[l] || z'\ 2] || • • • || z'[i — 1]) 

436 x* <- z'[i] || v'[i - 1] Endlf 
440 Output x* 


Fig. 4. Definition of adversary B attacking h : {0, 1}™' — > {0, l} n in the cs-SPR sense 


Theorem 1. Let H : {0, 1}* — > {0, 1}” be the Merkle-Damgard hash function 
with split padding constructed of a compression function h : {0, l} m — > {0, l} n . 
Then H is SPR if h is cs-SPR. More concretely, we have 

Ad v s ? r (t,£) < {t + 1) • Adv^ s ‘ spr (t / ), 

where t' ~t + 2£- time(h). Note that the security parameter p is implicit in the 
statement. 

Proof. Let A = (A-i . A 2 ) be an adversary attacking the hash function H : 
{0, 1}* — > {0, 1}" in the SPR sense. Assume that A has time complexity at 
most t and only handles strings whose lengths are at most t blocks. We shall 
construct an adversary B that uses A- t and A 2 as black-boxes and that attacks 
the underlying compression function h in the cs-SPR sense. The definition of B 
is given in Fig. 0J The basic idea is that B simulates an SPR game for A with 
-B’s challenge embedded into a randomly chosen block. Then B “hopes” that A 
finds a second preimage colliding at that block. 

Let us first check if B simulates an SPR game for A correctly. In order to 
do this, we only need to verify that the distribution of simulated challenges w 
at line 421 is uniformly random on the set {0, 1} A . The only difference between 
this w and the x G {0, 1} A at line 411 is that the a in the i-tli block is replaced 
with the challenge x. Because of the split padding, all the bits of a G {0, Ify 
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come from the random message x. Since x is random and independent from x, 
we see that w is indeed drawn uniformly at random from the set {0, 1} A . The 
point here is that B can choose any block, as every block contains at least p bits 
of a message owing to the split padding. 

We next evaluate the success probability of B. We see that B succeeds when- 
ever A succeeds, provided that at the same time B correctly guesses the index i 
(Here we need (i) injectivity of split-padding, (ii) injectivity of MD -strengthening , 
and (iii) the length encoding in MD -strengthening). The choice of index i does 
not affect the overall distribution of w £ {0, 1} A : the distribution is the same 
as w 4- {0, 1} A , being independently random from i. Moreover, the value i is 
completely hidden from A. Therefore, the choice of i is independent from the 
transcript of A producing x' . Putting u <— MD-strengthening (split- padding (w)) 
we get: 

Adv/ B ‘ spr (B) > Pr [w mg x' and i = index (u,z')\ 

= Pr[u; xi x'~\ x Pr[i = index (u, z')\wm x'] 

= Pr[A succeeds] X (1/C) > 1/(1 + 1) • Adv®? r (A). 

Lastly, we compute the time complexity of adversary B. It is about equal to 
the time complexity of A plus two executions of MD-iteration at lines 415, 433 
and 435, each of which costs at most £ ■ time{h). This proves the theorem. □ 

Remarks on the Birthday Bound. We note that our bound for SPR is of 
quadratic degradation in £ (a linear term in the coefficient of the advantage 
function and another one in time complexity). This means that the security 
guarantee becomes vacuous when £ « 2”/ 2 (with p = n: recall that with t 
2 n / 2 • time(h) the advantage increases to about 2 - "/ 2 , cf. (231) - I 11 fact, the 
long-message SPR attacks described in (911 7 j are still applicable to the patched 
construction. It also implies that our reduction essentially gives a tight bound. 

This is neither regression to the plain Merkle-Damgard construction nor severe 
limitation in practice. In the original Merkle-Damgard construction, the SPR of 
a hash function is assured up to the birthday bound based on the strong CR 
assumption about the underlying compression function rather than cs-SPR. The 
birthday bound by CR is at t w 2"/ 2 - time (h) irrespective of the message length £. 
Thus, our result provides a stronger bound than the one originally assured by 
CR. Also, in practice a typical value of a restricts message lengths to less than 
2”/ 2 blocks, so speaking of the security beyond £ w 2”/ 2 often becomes moot. 

Moreover, many of the provably secure SPR (TCR) constructions, including 
Randomized Hashing (T3| and Higher-Order UOWHF |14| . are susceptible to the 
long-message SPR attacks, hence giving security only up to the birthday bound. 
It is true that there exist some constructions that accomplish SPR beyond the 
birthday bound, such as Wide-Pipe m and ROX |2j, but the security of these 
constructions relies on the use of random oracles. 

It seems a non-trivial task for us to construct a mode of operation that achieves 
the full SPR security without random oracles: The “dithering” and “checksum” 
require major modifications to the current Merkle-Damgard construction, and 
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these techniques are shown to be not effective in precluding long-message at- 
tacks (111 lj . 

7 OW of Merkle-Damgard with Split Padding 

In this section we prove that the Merkle-Damgard construction combined with 
split padding is OW provided that the underlying compression function is cs- 
OW. The result contrasts sharply with the one for SPR of the previous section 
in that we have a security reduction without the birthday bound. 

Theorem 2. Let H : {0, 1}* — > {0, 1}” be the Merkle-Damgard hash function 
with split padding constructed of a compression function h : (0, l} m — > {0, l} n . 
Then H is OW if h is cs-OW. More concretely, we have 

Ad v™(M) < Adv“‘ ow (t'), 

where t' w t + 2£ ■ time(h). Note that the security parameter p is implicit in the 
statement. 

Proof. Let A = ( A\ , A 2 ) be an adversary trying to invert the hash function 
H : {0, 1}* — > {0, 1}" in the OW sense. Assume that A has time complexity at 
most t and only handles strings whose lengths are at most £ blocks. We shall 
construct an adversary B that uses A\ and A 2 as black-boxes and that tries to 
invert the underlying compression function h in the cs-OW sense. The definition 
of B is given in Fig. O A significant difference from the SPR case is that B 
simulates an OW game for A with its challenge embedded always into the last 
block. 

We first check if B simulates an OW game for A correctly. For this, we need to 
verify that the distribution of the challenge v given at line 520 indeed coincides 
with the distribution v <— H(x), x 4- {0, 1} A . By definition of cs-OW oracle, 
the value v at line 520 is computed as v *— ft(a;||/?||t;[£ — 1]) with x 4- {0, 1} M . 
Now note that all the bits of a at line 515 come from the random message 
x £ {0, 1} A and appear in no other blocks, owing to the split padding. Since 
the randomness of x is independent from that of x, replacing a with x does not 
affect the distribution of v. Thus we see that B indeed simulates the correct 
distribution of v. 

It remains to evaluate the success probability of B. We observe that B suc- 
ceeds whenever A succeeds in inversion, so Adv‘/ l s_ow (B) > Adv'ff (A) holds. The 
time complexity of B is about that of A plus two executions of MD-iteration at 
lines 514 and 533. This proves the theorem. □ 

Tightness of the Bound. Unlike the case of SPR, this time the degradation is 
only linear in l (i.e., we do not have the coefficient l+l in front of the advantage 
function) @ This means that we still have some security left even when l « 2"/ 2 

4 j2tilK)| obtains an OW result based on the OW assumption about h and the “output 
regularity” of h. The result, however, has a coefficient of £ in front of the advantage 
function (associated with the regularity) . 
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Adversary B 

510 Run A = (Ai, A 2 ) and obtain a bit length (A, St) <— Ai(-) // A > p 

511 Generate a random message x <— {0, 1} A 

512 Put z <— MD -strengthening [split -padding (x)) 

513 Divide 2 = z[l] || z[ 2] || • • • || z[£] so that |z[l]| = |z[2]| = ■ ■ • = |^KI| *= m-n 

514 Compute u[C - 1] <— MD-iteration (^[1] || z[ 2] || ■ • ■ || z[£ - 1]) 

515 Divide z[C\ = a\\/3 so that |a| = p and \p\ = m — n — p 

520 Submit /3|k[C — 1] as a committed suffix and receive a challenge v 6 {0, l} n 

530 Feed v to A 2 and obtain a preimage x' <— A 2 [v, St) 

531 Put z’ <— MD -strengthening [split -padding [x')) 

532 Divide J = *'[1] || • • • || z'[C] so that |z'[l]| = • ■ • = \z'[C]\ =m-n 

533 Compute «'[£' - 1] <— MD-iteration [z'[ 1] || z'\ 2] || ■ ■ • || z'[C - 1]) 

534 Set x* <— «'[C'] I) — 1] 

540 Output x* 


Fig. 5. Definition of adversary B attacking h : {0, 1 } m — > {0, l} n in the cs-OW sense 


(with p = n) and that long-message birthday attacks do not apply to the OW 
case. 

Our bound for OW is “essentially” tight, except for the ^-degradation in time 
complexity. To see this, consider an inverter A (in the OW sense) attacking H, 
who outputs A = p at the beginning of each game and receives a challenge 
v G {0, 1}". Then the challenge is computed as v <— /i(tc|| ct) , x 4 - {0, 1} M with the 
suffix a = 010*|| (H) || IV. This is “essentially” a cs-OW game on h, except that 
the suffix a £ {0, l} m ~ M is not completely “chosen” by A but rather “known” 
to A. We shall discuss more on the gap between cs-OW and ks-OW in Sect. E| 

8 Analysis of cs-SPR 

The purpose of this section is to reveal the nature of cs-SPR. It is clear that CR 
implies cs-SPE0 but not vice versa, so cs-SPR is a strictly weaker requirement 
than CR. Here we do want to say more; that is, we claim that cs-SPR is an 
assumption which is inherently weaker than CR, by showing: 

A cs-SPR function exists if an OW function exists. 

This is a complexity-theoretic result. It is known that the existence of Coll 
functions implies that of OW functions P2|, but not vice versa — 133| shows that 
there exists no black-box construction of Coll functions from OW functions. This 
is a strong evidence of separation between the Coll property and the OW, and 
we show that cs-SPR belongs to the latter class. 

5 More formally, it should read “fp-CR implies cs-SPR.” 
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eColl (t 1 Coll 


$ 

fp-CR 


eTCR TCR 

t t 

‘cs-SPR^: SPR 


cs-OW 0 ks-OW OW 


Fig. 6. A => B indicates “A-secure implies B-secure,” while A — > B indicates “A- 
existence implies B-existence.” Dotted boxes indicate black-box separation from the 
Coll requirement. 


Our claim is based on the results |2. r )l3U| which prove that the existence of an 
OW function implies that of a TCR function familyl! The existence of a TCR 
function family is equivalent to that of an SPR function m, so we actually 
present explicit black-box construction of a cs-SPR function from an SPR func- 
tion, thereby showing the existence of a cs-SPR function based on that of an 
OW function. For better understanding of cs-SPR, we also point out a symme- 
try between cs-SPR and eTCR; roughly speaking, cs-SPR can be regarded as 
an unkeyed version of eTCR. The diagram on the left in Fig. El summarizes the 
relationships among these various notions. 

Proposition 3. A cs-SPR function exists if an SPR function exists. 

Proof. Let / : {0, 1}^ — ► {0, 1} V be an SPR function. Define g : {0, l} m — * 
{0, iy v + m ~u as g{x\\a) = f /(ai)||a for x G {0, 1} M and a G {0, l} m ~ Then it can 
be directly verified that Adv”" spr (t) < Adv^ pr (t / ) where t! « t. □ 

Proposition 4. A cs-SPR function exists if and only if an eTCR function fam- 
ily exists. 

Proof. Let / : {0, l} m — ► {0, 1}" be a cs-SPR function with a security parameter 
g, < m. Define a family of functions ipk : {0, l} m- ^ — » {0, 1}" with k G {0, 1}** 
as <pk(a) — f /(fe||a). Then it is easy to see that Adv® tcr (t) < Adv“" spr (t / ) where 
f ai t. Conversely, let ipk : {0, l} m ~ M -* {0, 1}" be an eTCR ftmction family 
with k G {0, 1}^. Define f : {0, l} m — > {0, l} n as f(x\\a) = g>x{a). Then we see 
that Adv^. s " spr (t) < Adv® tcr (t') where i'«f. □ 

The notion of cs-SPR provides a bridge between SPR and CR, depending on the 
value g. This can be viewed as an unkeyed version of the continuum developed 
in 122!- Also, the notion of cs-SPR contrasts sharply with that of fp-CR, as there 
is a clear distinction between the two: The notion of fp-CR is open to generic 
birthday attacks, whereas that of cs-SPR is not. 


These results are based on polynomially-bounded reductions. 123 proves the exis- 
tence based on that of an OW permutation, while (SOI on that of an OW function. 
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9 Analysis of cs-OW 

There are obvious implications: cs-OW-secure =k ks-OW-secure => OW-secure. 
Thus our assumption cs-OW is the strongest of these three notions. We show 
that cs-OW is, however, not “too far” from OW, by proving (see the diagram 
on the right in Fig. 0: 

A cs-OW function exists if an OW function exists. 

Unlike the case of cs-SPR, we have a direct black-box construction this time: 
Proposition 5. A cs-OW function exists if an OW function exists. 

Proof. Let / : (0, 1} M — > (0, 1}" be an OW function. Define g : {0, l} m — > 
{0, as g(x\\a) = f(x)\\a for x 6 {0, 1} M and a 6 {0, Then it can 

be directly verified that Adv“" ow (f) < Advy w (f / ) where t' m t. □ 

10 Application to Randomized Hashing 

In closing the paper we point out that our split padding is compatible with the 
Randomized Hashing m Recall that the Randomized Hashing first mixes a 
message with a randomly generated mask and then hashes the data using the 
Merkle-Damgard construction. A problem arises when line 104 of the algorithm 
MD-strengthening in Fig. 0is invoked, because it would then result in an insuffi- 
cient amount of randomness in the last block. The Randomized Hashing suggests 
using “double padding” for dealing with this problem. Our split padding offers 
an alternative to this method, assuring at least fi bits of randomness in the very 
last invocation to the compression function. 
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Abstract. The collision-resistance of hash functions is an impor- 
tant foundation of many cryptographic protocols. Formally, collision- 
resistance can only be expected if the hash function in fact constitutes a 
parametrized family of functions, since for a single function, the adver- 
sary could simply know a single hard-coded collision. In practical appli- 
cations, however, unkeyed hash functions are a common choice, creating 
a gap between the practical application and the formal proof, and, even 
more importantly, the concise mathematical definitions. 

A pragmatic way out of this dilemma was recently formalized by Ro- 
gaway: instead of requiring that no adversary exists that breaks the pro- 
tocol (existential security), one requires that given an adversary that 
breaks the protocol, we can efficiently construct a collision of the hash 
function using an explicitly given reduction (constructive security). 

In this paper, we show the limits of this approach: We give a protocol 
that is existentially secure, but that provably cannot be proven secure 
using a constructive security proof. 

Consequently, constructive security — albeit constituting a useful im- 
provement over the state of the art — is not comprehensive enough to 
encompass all protocols that can be dealt with using existential security 
proofs. 

1 Introduction 

The collision-resistance of hash functions is an important ingredient of many 
cryptographic protocols. Formally, collision-resistance can only be expected if 
the hash function in fact constitutes a parametrized family of functions, since 
for a single function, the adversary could simply have a collision hard-coded into 
its program. In practical applications, however, such unkeyed hash functions are 
often used (e.g., SHA-l), creating a gap between the practical application and the 
formal proof, and, even more importantly, the concise mathematical definitions. 

A pragmatic way out of this dilemma was discussed by Stinson m and re- 
cently formalized by Rogaway §| : instead of requiring that no adversary exists 
that breaks the protocol (existential security), one requires that given an adver- 
sary that breaks the protocol, one can efficiently construct a collision of the hash 
function using an explicitly given reduction (constructive security). 

Slightly more formally, the dilemma can be described as follows: An exis- 
tential security proof for a protocol 7r shows the following: If there exists a 
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polynomial-time adversary A that has a non-negligible advantage in breaking 
the protocol, then there exists a polynomial-time adversary B that has a non- 
negligible advantage in breaking at least one of the assumptions of the protocol. 
Here, the exact meaning of the word advantage depends on the security notion 
under consideration; in a proof system for example, the advantage would be 
the probability to convince the verifier of a wrong fact. For collision-resistant 
hash functions, it would be the probability of finding a collision. Considering 
a protocol n whose security is based on the collision-resistance of an unkeyed 
hash function H, an existential security proof would show the following: If an 
adversary A has non-negligible advantage in breaking n, there is an adversary 
B that outputs a collision of H with non-negligible probability. However, this 
is vacuously true: There always exists an adversary that has a collision of H 
hard-coded into its program and outputs this collision with probability one. We, 
that is the totality of all human beings, might not know this adversary, but it 
exists nonetheless. To circumvent this problem, mathematical definitions and 
proofs usually make use of keyed hash functions. In this case, for every key K 
the collision might be different so that the assumption that no polynomial-time 
adversary can compute collisions for more than a small fraction of the keys is 
sensible. 

But what if we are forced to use unkeyed hash functions, e.g., because of 
efficiency considerations or simply because industrial applications often rely on 
unkeyed hash functions? Do we lose all possibility to prove security, since we 
cannot expect an existential security proof in this case? Fortunately, this is not 
necessarily the case: we may ground security on the observation that although 
there always exists an adversary finding a collision of an unkeyed hash func- 
tion, this adversary might not be explicitly known. This leads to the following 
approach that was recently formalized by Rogaway 0 : A constructive security 
proof for a protocol n that uses a hash function H is an efficient transformation 
C (that must be explicitly given) that, upon input an adversary A and the hash 
function H, outputs a collision of H. If someone finds a successful adversary A, 
he hence also knows a collision, thereby breaking the collision-resistance of the 
hash function. 

Rogaway jOJ stresses that most existential security proofs already constitute 
constructive security proofs and that all that must be done for concisely han- 
dling unkeyed hash functions is to rephrase those proofs in a constructive set- 
ting. Indeed, folklore has always believed that protocols with existential security 
proofs can be transformed into constructive ones. In some cases it may be as 
easy as rephrasing the theorem statement, in other cases it may be as hard as 
finding a different proof. E.g., jOj writes: “In general, it is well understood that 
one can rephrase provable-security results as assertions about explicitly given 
reductions”. Although this folklore statement may hold true in many cases of 
practical interest, we show that it does not hold true in general. We construct a 
protocol (more exactly, a zero-knowledge argument of knowledge) that we show 
secure with an existential security proof, but for which we further show that 
there provably does not exist any constructive security proof. 
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Hence although constructive security proofs may constitute a useful improve- 
ment over the state of the art, there are applications where the use of unkeyed 
hash functions cannot be justified even with this technique. 


1.1 Our Contribution 

We show how hash functions can be used to construct protocols that can be 
shown secure using an existential security proof, but that cannot be proven 
secure using a constructive security proof. 

The main idea underlying this separating example is to construct a protocol 
whose security is based on a non-uniform security reduction. Then, this reduc- 
tion will only lead to a non-uniform collision-finding algorithm. Since an unkeyed 
hash function can only be secure against uniform adversaries, such a reduction 
does not lead to a contradiction when basing the protocol on an unkeyed hash 
function. Thus, in particular, a non-uniform reduction does not give rise to a 
constructive security proof. The main technical difficulty lies in actually prov- 
ing that the security of the protocol can only be shown using a non-uniform 
reduction. 

More specifically, we investigate argument systems (computationally sound 
proof systems) as our security notion of interest. The approach can be adapted 
to other notions as well, e.g., by constructing a protocol for another task that 
uses and depends on the argument system presented in this paper. 

In more detail, we construct, depending on a hash function H , a proof system 
(P H , V H ) of which we can show the following properties: 

— Under two nonstandard but reasonable assumptions (discussed below in 
the paragraph on complexity assumptions and formalized in [Assumption 1| 
in the body of the paper) and the assumption that H is a non-uniform 
collision-resistant hash function, we can give an existential security proof for 
(. P H ,V H ). 

— Using [Assumption 1[ we can prove that one cannot give a constructive secu- 
rity proof that reduces the security of (P H ,V H ) to the collision-resistance 
of H. This even holds independent of any additional assumptions we might 
use for the constructive security proof (as long as these assumptions are not 
false). 

At a first glance, this separation may seem confusing because of the different 
layers of assumptions (in the proofs themselves and in the proofs about proofs). 
Thus the following view might help to improve the intuition underlying our 
result: In a world where [Assumption l| has been proven to hold, it will be possible 
to show existentially that (P ** , V" ) is secure if H is collision-resistant, but a 
constructive security proof for (P H , V H ) reducing to the collision resistance of H 
will be impossible. 

At this point, we consider it important to stress that our assumptions and 
in particular our proofs strongly rely on the careful distinction of non-uniform 
and uniform complexity. In particular, we use non-uniform techniques to prove 
results about uniform algorithms. 
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Basic Idea of the Construction. In order to construct a zero-knowledge argument 
of knowledge that has an existential proof of security but no constructive security 
proof, we use the following general approach. We take an existing zero-knowledge 
proof of knowledge (Pt . y t j a ,nd modify it as follows: Instead of directly showing 
that a given statement a holds, the prover P H shows (using pt) that one of the 
following two statements holds: 

— he knows a witness for the statement o, or 

— he knows a ciphertext c that is the encryption of a collision of H. 

The basic idea is that given an adversary that knows such a ciphertext c, one can 
break the argument. However, given an adversary with a hard-coded ciphertext, 
a constructive security proof should not be able to extract the collision contained 
in the ciphertext. We have to achieve the following two goals: 

— If H is a collision-resistant keyed hash function, it is hard to find a ciphertext 
c that is the encryption of a collision of H. Otherwise the argument can 
be easily broken even if the hash function is secure, thus even defying the 
existential security proof. 

— Given c, it is hard to extract a collision from c; in particular, the decryp- 
tion key should be secret. Otherwise a constructive security proof can use a 
knowledge extractor to extract c from a successful prover and then extract 
a collision from c. Further, the decryption of c should not be part of the 
witness used for the proof system (pt, Vt) since this witness could then be 
extracted from the adversary. 

We achieve the first goal as follows: To ensure that it is hard to find a ciphertext 
given a collision-resistant keyed hash function, we use an encryption scheme that 
can be broken by non-uniform adversaries, but that is secure against uniform 
adversaries. An adversary that breaks (P H , V H ) entails an adversary that finds 
a ciphertext c that is the encryption of a collision of H. This again entails 
the existence of a non-uniform adversary decrypting these ciphertexts and thus 
finding collisions. Consequently, if we require H to be a keyed hash function that 
is collision-resistant against non-uniform adversaries, we obtain a contradiction. 
On the other hand, a constructive security proof cannot obtain the collisions in 
this way, since in such a proof the reduction would have to be explicitly given 
and thus in particular be a uniform algorithm. 

The second goal is achieved as follows: We do not directly show (using pt) 
that c is the encryption of a collision of H, since this would necessitate to use the 
plaintext, i.e., the collision, as a witness, which in turn would allow to extract 
this witness. Instead, we introduce another proof system (P*,V*). This proof 
system is non-interactive (in the strong sense that it does not even use a common 
reference string), statistically sound (otherwise the overall scheme could be bro- 
ken by non-uniform adversaries that know a single wrong proof) and it should 
hide the plaintext of the encryption c. The last condition roughly means that 
if some adversary can extract the plaintext of c given a proof N, then it could 
also extract the plaintext without knowledge of N with non-negligible proba- 
bility. We call such a proof system a content-hiding proof of content. Given a 
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content-hiding proof of content, we do not directly prove that c is an encryp- 
tion of a collision, but that we know a non-interactive proof N that c is an 
encryption of a collision. Then in the constructive security proof, c and N might 
be extractable from an adversary, but this would not be of help: If one could 
extract a collision from c and N, one could extract one from c alone as well 
(since (P*, V*) is content-hiding). If the encryption scheme is IND-CPA secure, 
the encryption c alone is indistinguishable from a random encryption. Thus one 
could also find the collision without using c at all. A constructive security proof 
would hence imply the existence of an algorithm to find collisions. 

Summary of the Construction. We now summarize our construction in a more 
detailed and a more concise manner. Let f be a one-way permutation that is se- 
cure against uniform adversaries, but can be inverted by non-uniform adversaries 
({Definition 211 . From / we construct an encryption scheme £f such that for each 
security parameter, there is a fixed public key, and such that the corresponding 
secret key can be found by a non-uniform adversary (II )efinit,ion .‘(I) . The scheme 
£f is shown to be IND-CPA secure (ILcimna 21 . 

Let then (P* . V*) be a content-hiding proof of content for the encryption 
scheme Ef (Definitions El and El ■ That is, using P* we can show non-interactively 
that a given ciphertext c is the encryption of a cleartext m that fulfills a given 
property 7 r. Since P* is content-hiding, we know that if we can extract the 
plaintext from c given the non-interactive proof, we can also do so without 
access to the proof. Let (pT,Vt) be a computational zero- knowledge proof of 
knowledge. Let H be a hash function (keyed or unkeyed). Then we construct the 
argument system (P f/ , V H ) as follows ({Definition 6{l : 

— The prover P H takes as input a SAT-instance a and a corresponding witness 
w. The verifier V H expects a SAT-instance a. 

— To show his knowledge of w, the prover P H invokes the prover P ! to show 
that either 

• he knows a witness w for a, or 

• he knows a ciphertext c and a non-interactive proof N such that the 
proof N convinces the verifier V* that the ciphertext c is an encryption 
of a collision of H. 

The prover can easily perform this proof since he knows the witness w. 

— The verifier V H uses W to verify the above proof. 

Note that the prover P* is never used in the above construction. The existence 
of P* will however be used in the proofs. 

On our Complexity Assumptions. Our proof is based on the existence of content- 
hiding proofs of content as well as on the existence of one-way permutations with 
non-uniform trapdoors, which constitute nonstandard complexity assumptions. 
To motivate these assumptions, we prove that relative to a random oracle these 
assumptions follow from standard ones. 

At a first glance, it may seem that a result that needs such strong assump- 
tions and involved constructions will not be of relevance for the provability of 
natural protocol constructions, i.e., construction which do not have the creation 
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of a counterexample in mind. We would like to point out the following counter- 
arguments: First, one reason why we need such strong assumptions is that we do 
not only want a protocol that cannot be proven secure using constructive proofs, 
but that provably cannot be proven secure using constructive proofs. The reason 
for the complexity of our example may hence not follow from the fact that all 
natural protocols have constructive proofs, but rather from the fact that proving 
unprovability is in general a difficult task. Secondly, somewhat similar techniques 
have already been used in the literature: Barak Pj presents an argument system 
in which the prover proves that the statement under consideration is true or that 
he knows a short circuit describing (the data sent by) the verifier. This seemingly 
contrived construction then was shown to allow for argument systems that enjoy 
properties that where shown to be impossible for zero-knowledge argument sys- 
tems that do not use the circuit of the adversary (i.e., black-box zero-knowledge 
argument systems). In that light it may well be possible that some useful proto- 
col will have to use constructions similar to the ones presented in this work and 
therefore will have no constructive security proof. 

1.2 Related Work 

Hash functions where first formalised in Pj. In jOj the notion of a constructive 
security proof was made explicit, although the concept was already discussed or 
implicitly used in many other papers. 

The idea of considering problems relative to oracles to analyze complexity 
assumptions was introduced by j2]- See also p] for a survey and a discussion of 
such relativisation techniques. 

An example of a non-constructive security proof can be found in pi Section 8]. 
They give a resettable zero- knowledge proof in the timing- model, and the proof 
of soundness uses a non-constructive reduction. However, it is not shown that 
their protocol does not have a constructive proof. In contrast, the complexity of 
our constructions result from the necessity of creating a scheme where we can 
prove that no constructive security proof exists. We believe that the result of pJ 
and our result complement each other: pj show that there are natural protocols 
where we do not know constructive security proofs, while we show that there 
are contrived protocols where constructive security proofs do not exist (under 
certain complexity assumptions). 

2 Preliminaries and Notation 

By x «— A we mean assigning the output of the probabilistic algorithm A to x, 
and by x <— M assigning a uniformly randomly chosen element of M to x. By 
{A, B) we mean the output of B after an interaction of the interactive machines 
A and B. The variable k will always denote the security parameter. 

An unkeyed hash function H is a function from {0, 1}* to {0, 1}" for some 
n that can be computed in deterministic polynomial time. A keyed (family of) 
hash functions consists of a family {Hk } of functions together with an efficient 
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key generation algorithm Gh such that the following holds: Given K and x, the 
image Hk(x ) can be computed in deterministic polynomial time. Further, for 
K <— Gh( l fc ), the function H K maps {0, 1}* to {0, for some polynomially 
bounded function l. 

Of central interest to this paper is the notion of a constructive security proof. 
In principle, a constructive security proof consists of two parts: an explicitly 
given reduction C from adversaries to collisions, and a proof that C is indeed 
such a reduction. Since we are only interested in negative results in this paper, it 
will be sufficient to show that no such reduction C exists. We therefore slightly 
abuse notation and define a constructive security proof to solely consist of this 
reduction C. That is, we do not even require that the reduction is proven to be 
correct. 

Furthermore, we will confine ourselves to constructive security proofs that a 
given protocol is an argument system. This results in a less abstract definition, 
which is sufficient for our application. Examples of constructive security proofs 
for other properties are given in P . 

Let ( P H , V H ) be a proof system parametrized by an unkeyed hash function H 
that is assumed to be given as a circuit. For an adversary A (given as a circuit) 
and an unsatisfiable SAT-formula a, we define 

Adv* r I fc (A,a) :=Pr[(A,F H (l fc ,a)> = 1], 

Further, for an algorithm C, let 

Ad v%] k {C,A,a) := Pr[(x,a;') «- C(l k ,H,A, a) : x ^ x' and H(x) = H(x% 

Definition 1 (Constructive Security Proof). Let (P H ,V H ) be a proof sys- 
tem parametrised by an unkeyed hash function H. We call an algorithm C a 
constructive security proof that (P H . V H ) is an argument if C runs in uniform 
probabilistic polynomial-time and there exist some c > 0 and some negligible 
function p such that for all circuits A, all unsatisfiable boolean formulas a and 
all k £ N we have 


Ad v%} k (C,A,a) 


( Adv^f fc (A,o-) V 


-p(k). 


Our notion of a constructive security proof slightly deviates from the notion 
put forward in jH]. The most obvious difference is that |0j does not contain 
any asymptotic definition of a constructive security proof. Instead, all results 
are given in terms of concrete security, i.e., the relation between the advantage 
to break the protocol and the advantage to find collisions is given explicitly. 
A negative statement, i.e., a claim that a given protocol has no constructive 
security proof, cannot rely on concrete security since one does not aim to show 
that a given relation between the two advantages does not hold, but that no 
(useful) lower bound for Adv co1 in terms of Adv arg exists. To characterize such 
useful lower bounds we have introduced the above asymptotic formulation. Since 
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we are interested in a negative result, we have made the lower bound as weak as 
possible. 

A notion of black-box constructive proofs has also been formalized in 0 . Since 
black-box is the stricter kind of reduction, our negative result encompasses this 
notion as well. 

3 Assumptions Underlying Our Negative Result 

In this section, we will present two cryptographic assumptions that are needed 
in our proof. 


3.1 One-Way Permutations with Non-uniform Trapdoors 

The first assumption roughly states that there are one-way permutations that 
are secure against uniform adversaries but that can be inverted by non-uniform 


Definition 2 (One-Way Permutations with Non-Uniform Trapdoors). 

A function f : (0, 1}* — » {0, 1}* is a one-way permutation with non-uniform 
trapdoors, if 

— The function f is a length-preserving permutation that is computable in de- 
terministic polynomial time. 

— The function f is one-way against uniform adversaries. 

— There exists a sequence tk of polynomial-sized circuits, such that tk(f(x)) = x 
for all k e N and all x G {0, l} fc . 

The existence of one-way permutations with non-uniform trapdoors constitutes 
a nonstandard complexity assumption in cryptography. Although we did not 
succeed in reducing the existence of one-way permutations with non-uniform 
trapdoors to more common assumptions in general, we show that there is an 
oracle relative to which this is possible. 

Lemma 1 . Assume that trapdoor one-way permutations with dense public key£\ 
exist that are one-way against uniform probabilistic polynomial-time adversaries. 
Then there exists an oracle O relative to which one-way permutations with non- 
uniform trapdoors exist. 

The proof of this lemma is given in the full version |Tj . 

The proof of lhemma II in fact shows a stronger statement: choosing a random 
oracle entails one-way permutations with non-uniform trapdoors with probability 
one. If we accept the random oracle heuristic, the following conjecture is thus 
made realistic by the proof of lhemma II 

1 We say a family of trapdoor permutations has dense public keys if the distribution 
of the public keys is near the uniform distribution on the set of strings of a given 
length. Intuitively, this means that we can choose the public key using only public 
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Conjecture 1. Let R be a sufficiently unstructured, efficiently computable func- 
tion. Then using R in the construction of the proof of lbemma II yields one-way 
permutations with non-uniform trapdoors. 

Using one-way permutations with non-uniform trapdoors, we can use the stan- 
dard construction for creating IND-CPA secure encryption schemes from one- 
way permutations. The result is an encryption scheme where for each security 
parameter there is a single public key, and where the corresponding secret keys 
can be recovered by non-uniform adversaries (but not by uniform ones). 

Definition 3 (Singleton Encryption). Let f be a one-way permutation with 
non-uniform trapdoors. We define the singleton encryption scheme £f,Df for 
f as follows: Let pk k := l k and skk '■= tk, where t k denotes the trapdoors of 
the function f. For x £ {0,1}, we have £f(pk,x ) := (/(rq), r 2 , (rq ■ r 2 ) ® x) 
where r\,r 2 are uniformly random from {0,l}l pfc L For x € {0,1}*, we have 
£ f (pk,x) := {£ f {pk,x 1 ),...,£ f {pk,x\ x \)). 

The corresponding (deterministic) decryption algorithm Df proceeds as fol- 
lows: Upon input ( pk , sk, (ci, r 2 , C 2 )) where sk is a circuit and (ci, r 2 ,c 2 ) the en- 
cryption of a single bit, the decryption algorithm first verifies that f(sk(c \ )) = c\ 
and that |ci| = \pk\. If so, it outputs ( sk(c\ ) • r 2 ) ® C 2 . Otherwise, it outputs _L. 
The encryption of multiple bits is handled by decrypting each bit individually 
(with output T if one of the decryptions fails). 

The set of valid public keys of £f for security parameter k is hence {pk k }\ 
consequentely the public key generation algorithm is trivial. The corresponding 
secret-keys skk, be. , the trapdoors of /, are guaranteed to exist, but they are not ef- 
ficiently computable by a uniform adversary. We have T>f(pk k , sk k . £ / (pk k , m)) = 
m for all m by construction; moreover, Df(pk k , sk,c ) = m 7 ^ T for some (possibly 
invalid) secret key sk implies T>f(pk k , sk k , c) = m since the checks performed by 
Vf guarantee sk(c{) = skk(c\). 

The following lemma states that the construction given above indeed results 
in an IND-CPA secure encryption scheme, at least against uniform adversaries: 

Lemma 2. Let f be a one-way permutation with non-uniform trapdoors and 
let £f be the singleton encryption scheme for f. Then £f is IND-CPA secure 
against uniform adversaries in the following sense: For all uniform probabilistic 
polynomial-time algorithms A\, A 2 , we have that 

Pr [(mo, mi, z) <— Ai(l fe ), b {0, 1}, c <— £f(pk k , mb) : 

A 2 (l k ,c,z) = b A |m 0 | = |mi|j 

is negligible in k. 

A proof of Lemma El can be found in 0 Section 5.3.4. 1]. Although this proof 
applies to a slightly different definition of public-key encryption where the public 
and secret keys are chosen by an explicit key generation algorithm, the proof 
carries over, mainly because the secret keys are not used in the definition of 
IND-CPA security. 
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3.2 Proofs of Content 

We now introduce the novel notion of a non-interactive proof of content. In- 
tuitively, a proof of content is a non-interactive proof system that proves that 
a given ciphertext c is the encryption of some plaintext m that fulfills some 
predicate n. 

We first introduce some additional notation: Given an encryption scheme 
(. £,D ) with deterministic decryption, a Boolean circuit 7 r, a ciphertext c, a 
public key pk and a private key sk , let n pk,sk [c] := true if and only if 
m := T>(pk,sk,c ) ^ _L and 7r(m) = 1, and let 7r pfc [c] = true if there exists a 
secret key sk such that 7r pfc,sfc [c] = true. 

Definition 4 (Non-Interactive Proofs of Content). A non-interactive 
proof of content for an encryption scheme (£. D) (where V is deterministic) 
consists of a polynomial-time prover P and a polynomial-time verifier V such 
that the following holds: 

— Polynomial length. There exists a polynomial p such that for every 7 r, c, pk, 
sk, and k, we have |P(l fe , 7r, c,pk, sfc)| < p( |(l fe , n, c,pk, sfc)|). 

— Completeness. There is a negligible function p such that for every n, c, pk 
and sk satisfying 7r pfc,sfc [c] = true and for every k, we have 

Pr[V{l k ,pk,Tr,c,P(l k ,n,c,pk,sk))=0\ < p{k). 

— Soundness. There is a negligible function p such that for every n, c, and pk 
satisfying 7r pfe [c] = false and for every k and every string N, we have 

Pr[V(l k ,pk,n,c,N) = l] < p{k). 

So far, a proof of content can be quite easily realized by revealing the secret 
key of the encryption scheme. This of course is not satisfying; hence we need 
an additional secrecy property. We cannot expect the proof system to be zero- 
knowledge (since it is non-inter active without a common reference string), but 
we can require that a proof will not help us to extract the plaintext from the 
ciphertext m (which would be clearly violated if we learned the secret key) . We 
will call this property content-hiding. 

We now define content-hiding proofs of content. This notion will crucially de- 
pend on the notion of a valid public key of a given encryption scheme, and of 
the notion of the corresponding secret key. The notion of a valid public key and 
corresponding secret key has a natural meaning for most public-key cryptosys- 
tems, but it may not be well-defined in general. However, in the remainder of 
the paper we will only consider the encryption scheme from IDetinition 31 where 
a public key is valid if and only if it has the form l k , and where the secret key 
corresponding to a given public key is uniquely determined as tk- So for the sake 
of readability we abstain from formally specifying what a valid public key and 
the corresponding secret key are. 

Definition 5 (Content-Hiding Proofs of Content). A non-interactive proof 
of content (P, V) for an encryption scheme {£, V) is called content-hiding if the 
following holds: 
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Let G be any polynomial-time algorithm that upon input l k outputs a valid 
public key pk for E, a message m £ {0, 1}*, a circuit n and some auxiliary 
information z £ {0, 1}*. Let A be any polynomial-time algorithm such that 

Pr[(pk,m,n,z)^G(l k ), c^£(pk,m), N <— P(l k ,n,c,pk,sk), 

m' «— A(l k ,pk,c, 7r, z,N) : m = m ' j 

is not negligible in k, where sk denotes the secret key corresponding to pk. 

Then there exists a polynomial-time algorithm S outputting a list of strings, 
such that 

Pr[(pk,m,n,z) <- G(l k ), c^E(pk,m), M ' «- S{l k ,pk,c,n,z) : m £ Af']. 
is not negligible in k. 

While the definition of content-hiding proof is similar to that of witness-hiding 
proofs, there is an important difference: Witness-hiding proofs guarantee that 
the witness cannot be guessed if the statement is chosen according to some fixed 
distribution, while we require that the content-hiding property holds for any 
efficiently sampleable distribution on the messages m. Furthermore, a witness- 
hiding proof only guarantees that the witness is not disclosed as a whole, while 
we only require that the message m is not disclosed as a whole; the latter re- 
quirement is weaker since a witness would consist of m and the randomness used 
for encryption. 

The existence of content-hiding proofs of content constitutes a novel crypto- 
graphic assumption. We did not succeed in reducing it to existing assumptions, 
but we show that at least there is an oracle relative to which this is possible. 

Lemma 3. Assume that trapdoor one-way permutations with dense public keys 
exist that are secure against non-uniform probabilistic polynomial-time adver- 
saries. Then there exists an oracle O relative to which content-hiding proofs of 
content with deterministic verifiers exist for any encryption scheme (E,T>). 

The proof of Ibemma 31 (which is given in the full version £Q) establishes the 
following slightly stronger statement: choosing a random oracle entails content- 
hiding proofs of content with probability one. Hence the following conjecture is 
again justified by the random oracle heuristic: 

Conjecture 2. Let R be a sufficiently unstructured efficiently computable func- 
tion. Then using R in the construction of the proof of Ihciimui yields content- 
hiding proofs of content with deterministic verifiers. 

In the next section we will need both the existence of one-way permutations 
with non-uniform trapdoors as well as of content-hiding proofs of content. We 
additionally use some standard complexity assumptions. All assumptions used 
are summarized in the following statement: 
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Assumption 1. There exist a one-way function with non-uniform trapdoors f_ 
^Definition 2p and a content-hiding proof of content with a deterministic verified 
for the singleton encryption scheme £f for f \Definition 3j) . 

Further, we assume the existence of one-way functions secure against non- 
uniform adversaries and the existence of a keyed family of hash functions that 
is collision-resistant against non-uniform adversaries. 

4 Limits of Constructive Security Proofs 

Based on the definitions and assumptions from the preceding sections, we are 
now ready to show the existence of an existentially secure argument system that 
does not have a constructive security proof. 

In the following, let / be a length-regular one-way function with non-uniform 
trapdoors, let £/ be the singleton encryption scheme for /, and let (P*,V*) 
denote a content-hiding proof of content for £/. Let (Pt,Vt) be a computa- 
tional zero-knowledge proof of knowledge, which can be constructed from one- 
way functions secure against non-uniform polynomial-time adversaries (see e.g., 
|3 Section 4.7.3]). When passing an algorithm A as argument to a function or 
algorithm, we assume that A is encoded as a circuit in some canonical way. Let 
H be the description of a function from {0, 1}* to {0, 1}*. When considering H 
as a circuit, we will always mean the circuit describing the function H restricted 
to the domain {0, l} fe . 

Stating the construction in a concise manner necessitates a few auxiliary def- 
initions: 

- Let X 2 ) := true if and only if x\,x 2 G {0, l} fe , x\ ^ X 2 and H(x 1) = 

H{x;). 

- Let 7 (H, c, N ) := true if and only if V*(l k ,pk k , 1 th, c, N) = 1. 

- Let r](H , <7, c, N, w) := true if and only if a(w) = 1 or 7 (H, c, N) = true. 

- Let l c (k) := \£f(l k , l 2k )\ denote the length of an encryption of a 2fc-bit 
plaintext. 

- Let Ip be a polynomial such that for all k G N and c G {0, l} lc(k \ the value 
lp(k+\H\) is an upper bound on P*(l fe , tyh, c, t k ) \ where \H\ denotes the size 
of the circuit H and t k is the non-uniform trapdoor for / (cf. Definition 2D . 
Such a polynomial Ip exists, since there are polynomial upper bounds on 
all arguments of P*, and P* satisfies the polynomial length property from 


- Let L v be the language consisting of all (H, o) such that there exist a 
triple ( c,N,w ) with |c| < l c (k) and \N\ < lp(k + \H\) that satisfies 
r](H,a,c,N,w) = true. Obviously, L v € NP. Note that if a(w) = 1, then w 
is a witness for ( H , a) G L rj . 

2 We could also weaken the assumption slightly by allowing a probabilistic verifier. 
While our results hold as well for probabilistic verifiers, we have chosen to use this 
slightly stronger formulation since it makes the separating example and the proof 


easier. 
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Using this notation, we can now describe the protocol that will have an existential 
security proof, but that will provably not have a constructive proof: 

Definition 6 (The Separating Argument System). The proof system 
(P H , V H ) where H may be a keyed or unkeyed hash function, is defined as 
follows: 

— The prover P H is invoked with input (l k ,a,w) where a is a Boolean circuit 
and w is an assignment such that o(w) = 1. The verifier is invoked with 
input (l fc , a). 

— The prover P H invokes P t on security parameter l k , L v -instance ( H , a) and 
witness w; here H is treated as a circuit mapping {0, l} fe to {0, 1}*. 

— The verifier V H invokes V^(l k ,a) to verify the proof given by the prover 
P H . 

The notation introduced in front of Definitions 0| and 0(e.g., 7r pfc [c], 7, P*, etc.) 
will be used in the following proofs without explicit reference. 

We have assumed in Assumption [□ that V* is deterministic. If V* was prob- 
abilistic, we would have to change the above proof system as follows: First, the 
prover commits to a witness (c, N, w). The prover and the verifier then perform 
a coin-toss to choose a random tape R for V*. Finally the prover proves that 
a(w) = 1 or that the verifier V* accepts with random tape R. We have opted to 
consider the case of a deterministic verifier V* to make the presentation more 
readable. 

Theorem 1. Under Assumption QJ if Hk is a keyed hash-function that is se- 
cure against non-uniform adversaries then the proof system (P H , V H ) is a (non- 
uniformly secure) computational zero-knowledge argument of knowledge for SAT. 
(We assume the key K to be chosen by some key generation algorithm K,(l k ).) 

Proof. Since (Pt,W) is a computational zero-knowledge proof, the computa- 
tional zero- knowledge property and the completeness of ( P H , V H ) follow from 
the construction. 

We show that (P H ,V H ) is an argument of knowledge, i.e., we construct a 
knowledge extractor E such that there exists a polynomial q such that for any 
non-uniform polynomial-time prover P and any sequence a of SAT-instances of 
polynomial length, there is a negligible function p such that the following holds 
for each k £ N: 

Pr [K <— IC(l k ) : E l ^ 1 ’ K \l k , H K , <Tk) is a SAT-witness for cr*,] 
>^Pr[A^/C(l fc ): (P(l k ,K),V H «(l k ,a k )) = l]-p(k). (1) 

Here E p ^ ’ K \l k ,H K ,crk) denotes the extractor E with black-box access to 
P( l fe , K) and that is given a description of H K . 

Let E f be the knowledge-extractor of (Ph V^). Then there is a polynomial q 
such that for every non-uniform polynomial-time prover P and every sequence of 
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polynomial-sized Z^-instances (H k , a k ) there exists a negligible function v such 
that for all k the following holds: 

Prt-E^ 1 \l k ,H k ,a k ) is an L v - witness for (H k ,a k )] 

> Pr[(P(l fc ), V\l k , Hk , a k )) = 1] - v{k). (2) 

Here E p(1 ) denotes the extractor Zq with black-box access to H K and P(l k , K). 

We construct the knowledge-extractor E as follows: When invoked with black- 
box access to P and with input (l k , H. a), it invokes ( c,N,w ) <— EF(l k , H, a) 
and then returns w. 

It is left to show that E satisfies (JU . Let P be a non-uniform polynomial-time 
prover as in © and a a sequence of SAT-instances of polynomial length. Let K 
be a sequence of keys for the hash-function H. By (0 and by definition of L rp 
there exists a negligible function v such that 

Pr[(c. N, w) E t ^ (1 ’ Kk \l k ,H k ,a k ) : rj(H Kk ,a k ,c,N,w ) = true] 

> -^Pr[(P(l k ,K k ),V\l k ,H Kk ,a k )) = l]-u(k) (3) 

Since this holds for every sequence K of keys, we have for some negligible v and 
all k € N: 


Pr[if <— /C(l fe ), (c,N,w)^E^ lk ’ K \l k ,H K ,a k ) : 

r](H K , cr fe , c, N, w) = true] 

> -L Pr [ K r- K.{l k ) : {P(l k , K ), V*(l k , H K , a k )) = 1] - v{k). (4) 

(Otherwise we could simply use the worst-case sequence of keys to contradict 0 . ) 
Let fii be defined as follows: 

MiW <- /C(l fe ), ( c , N, w ) «_ E^ lk ’ K) (l k , H k , a k ) : c, N) = true]. 

By definition, 7(ZZjy, c, TV) = true is equivalent to V*(l k , pk k . hh k , c, N) = 1 
which in turn implies 7 [c] = true. Hence there exists a secret key sk such that 
Vf(pk k ,sk, c) =: mp J_ and tth k (m) = true. Since Vf(pk k , sk,c) = mp _L im- 
plies Df(pk k ,sk k , c) = m by construction, it follows that tth k ( Df(pk k , sk k ,c)) = 
true. We therefore have 

MiW <Pr[K^IC(l k ), (c,N,w)^E^ lk ’ K \l k ,H K ,a k ), 

m <—Vf(pk k ,sk k ,c) : TTH K (m) = true]. 

Since ( c,N,w ) *— Ep^ 1 ’ K \l k , Hk, <7k), th <— T>f(pk k , sk k ,c) can be com- 
puted by a non-uniform polynomial-time algorithm (given l k and K), and since 
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7r fj K (m) = true implies that m encodes a collision of Hk , we have constructed 
a non-uniform polynomial-time algorithm that finds collisions of Hk with prob- 
ability at least /zi. Since by assumption, Hk is collision-resistant against non- 
uniform polynomial-time adversaries, this implies that fxi is negligible. 

By definition, we have ri(HK,cr k ,c,N,w) = true if and only if a k (w) = 1 or 
7 {H k , c, N) = true. So using the definition of E and V H we get 

Pr [K - K(l k ), w *- E p ( lh ’ K \ l fc , H k , a k ) ; a k (w) = 1] 

= Vv[K <— /C(l fc ), (c, N, w) *— E P ^ lk ,K \l k , H K ,cr k ) : a k (w) = 1] 

> Pr[K <— /C(l fc ), (c,N,w) *— ,K \l k , Hk , <J k ) ■ 

r](H K , (T k , c, IV, w) = true] - px (k) 

> J- Pr I^ £(!*) : ( p ( lfc > Hk, er k )) = 1] - v(k) - Ml (fc). 

= -L p r [2f _ /C(l fc ) : <P(l fe , if), V H «(l k , a k )) = 1] - v{k) - nx{k). (5) 

Setting p := v + /xi , this gives us © and thus shows that (P H , V H ) is a (non- 
uniformly secure) computational zero-knowledge argument of knowledge. □ 

Theorem 2. Under Assumption 0 there exists no constructive security proof C 
that ( P H ,V H ) is an argument. 

In particular, the theorem implies that no constructive security proof exists that 
(P H , V H ) is a computational zero- knowledge argument of knowledge. 

Proof. Assume for contradiction that a constructive security proof C exists that 
(P H , V H ) is an argument. 

Let / be a one-way permutation with non-uniform trapdoors and let 
{Hk}k(xK be a keyed family of hash functions that is one-way against non- 
uniform adversaries. Let be the key generation algorithm for Hk, and assume 
w.l.o.g. that for K <— Gjj(l k ) the function H K maps from {0, 1}* to {0, l} fc . 

We first construct a keyed family {H a ,b,K} {a,b,K)eYxK of hash functions 
H aAK : {0,1}* -> {0,l} fc+1 with Y := \JY k and Y k := {(a, b) : a, b G 
{0, l} k , a ^ b} as follows: 

f0|| Hk(x), \x\^k, 

H a , b , K (x) := l 1|| f{x), \x\ = k, f{x) ± a, for a, b, x G {0, l} k . 

[l||6, \x\ = k, f{x) = a. 

It is easy to see that the only collision (x, x') of H a ,b,K that satisfies \x\ = \x'\ = k 
is (/ -1 (a), / _1 (6)). Hence finding such a collision of H a ^,K for random (a, b) 
implies inverting / at a. Finding collisions (x, x') with |a;| ^ k or \x'\ ^ k breaks 
the collision-resistance of Hk- So H a ^,K is collision-resistant against uniform 
polynomial-time adversaries. 
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In the following, we write k-collision to denote a collision ( x,x ') with a: = 

| a;' | = k. Then there exists only a single fc-collision (x,x r ) of H a f,K (where 
k=\a\ = \b\). 

Let cr false denote some fixed unsatisfiable circuit. Let P be a prover that upon 
input (l k ,H,c,N) invokes P* on security parameter l k , L .^-instance ( H,crf a i se ) 
and witness (c, N, w). 

By construction of (P H ,V H ) and since (PL W) i s complete, there exists 
a negligible function /xi such that for all c, N with |c| < l c (k) and \N\ < 
lp(k + \H\) such that N is a valid proof for Ti p ^ k [c] = true (i.e., such that 
V*(l k ,pk k ,nH,c,N) = 1), we have 


Pr[(P(l k ,H,c,N),V H (l k ,a fal se)) = l\ > 1 - /*i (fc). (6) 


Consider the following game Go: 


(a,b) l Y k , a := /(a), b := f(b), K <- G s ( l fc ), H := H aAK , (7) 


c<- £ f (pk k ,(a,b)), N <- P*(l k ,ir H ,c,pk k ,sk k ), 
(a, b ) «- G(l fc , H, P(l k ,H, c, N), a false ). 


(8) 

(9) 


That is, first, in (0 we construct a hash- function H such that we know the (only) 
fc-collision (a, b) . Then in 0 we construct an encryption c of that fc-collision and 


a proof that c indeed contains a /c-collision (i.e., that 7r # fc [c] = true). Finally, 


in 0 we invoke the generic security proof C with a description of the hash- 
function H, with a description of P (instantiated with input (1 k ,H,c,N)) and 
with the SAT-instance cr/ a ; se . 

By the completeness of (P* , V*), there is a negligible function /ia such that in 
Go the following holds: Pr[V*(l fc , pk k , -tth, c, N) = 1] > 1 — (k). Further, by 

definition of l c and Ip it is | c| < l c (k) and \N\ < lp(k+ \ H\). Then using 0 we get 


Adv^ rg ~Pv[(P(l k ,H,c,N),V H (l k ,a false )) = l] > l - pi(k) - p 2 (k) 


when H, c and N are chosen as in game Go- 

Since <jf a i se is not satisfiable, this violates the soundness of the argument 
system ( P H ,V H ). So by the definition of constructive security proofs, G 
should be able to extract a collision given l fc , H, P(l k ,H,c,N) and cr/ a ; se . 
More exactly, let p be a polynomial such that p(k) bounds the length of 
(l k ,H,P(l k ,H,c,N),<jfai se ). Such a polynomial exists, since H is constructed 
by a polynomial-time algorithm and P runs in polynomial time. Then there is a 
c > 0 and a negligible function p 5 such that 


/Adv arg \ c 

Pr [(a, b) is a collision of H] > ( — — h— j — (k) 
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Then v is not negligible. On the other hand, since Hk is collision-resistant against 
non-uniform adversaries, and (a, b) is computed by non-uniform polynomial-time 
algorithms in (DEI 0 there is a negligible function /X 4 bounding the probability 
that (a, b) is a collision of Hk- Since by construction of H := H a ^K- the only 
collision of H that is not a collision of Hk is the fc-collision (/ _ 1 (a), / _ 1 ( 6 )) = 
(a, b), it follows that 


Pr[(a, b) — (a,b)]>v(k)-pn(k). (10) 

Let now A(l k ,pk,c,n,H,N) := G(l k ,H,P(l k ,H,c,N),a false ). Since G and P 
are polynomial-time algorithms, so is A. Further let G(l k ) be an algorithm that 
chooses m := ( a,b ) and H as in game Go and then outputs (pk k ,m,iTH,H). 
Then G runs in polynomial-time, too. Then the following game G 1 is just a 
rewriting of game Go: 

(pk,m, n,H) <— G(l fe ), c<—£f(pk,m), 

N ♦— P*(l k ,Tr,c,pk, sk ), m' «- A(l k ,pk, c, ir, H, N ) 

with (a, b) := ml and with sk being the secret key corresponding to pk. So by (TTHI) 
it follows that Pr[m = m'} > v{k)—p,i{k) in game Go- This is not negligible. Since 
(P*,V*) is content-hiding, it follows that there is a polynomial-time simulator 
S such that 

vi(k) := Pr\(pk,m, n,H) <— G(l fc ), c £f(pk,m), 

M' *— S(l k ,pk,c,7r,H) : m&M'] (11) 

is not negligible. Since £/ is IND-CPA by Ibemma 21 and the algorithms in 
(DU) are all uniform polynomial-time algorithms, we can replace £f(pk,m) by 
£f(pk, 0 2fc ) (since m = 2k). (For this, note that G chooses pk := pk k .) Then, 
for some negligible function / 13 , we have 

Pv[(pk,m,n) <— G(l fc ), c £ f {pk,0 2k ), 

M' S(l k ,pk,c,TT,H) : meM']>u 2 (k)-p 3 (k) 

Since given a description of H a ^,K with a = f(a) and b = /(&), we can efficiently 
verify whether for some rri' we have m! = (a. b), we can modify S so that it 
directly outputs m = ( a,b ) if that m is in M'. Call the resulting algorithm S'. 
By substituting the definition of G we get 

Pr[(a,6) £ Y k , a := /(d), b := f(b), K G s (l k ), 

(a,b) - S'(l k ,pk k ,£ f (pk k ,0 2k ),n Ha ^ K ,H aAK ) : 

(a, 6) = (a,b)\ > u 2 (k) - p 3 (k). 


The non-uniformity stems from the appearance of sk k in game Go. 
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Let the algorithm T(l k . a) perform as follows: First, it chooses b uni- 
formly from {0, l} fc \ {a} and K using Gjj(l k ). Then it executes (a, b) «— 
S'(l k , pk k . £f(pk k , 0 2fc ), TTH ri b K , ffa,b,K) and outputs a. Then the previous prob- 
ability can be rewritten as 

Pr[a ^ {0, l} fe , a := T{l\ /(a)) : a = a) > v 2 (k) - » 3 (h). 

Since v 2 — is not negligible and T is a uniform polynomial-time algorithm, this 
is a contradiction to / being one-way against uniform polynomial-time adver- 
saries. Hence our assumption that C is a constructive security proof was wrong. 

□ 
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Abstract. Recently Cash, Kiltz, and Shoup ^31 showed a variant of the 
Cramer-Shoup (CS) scheme [Hj whose chosen-ciphertext (CCA) security 
relies on the computational Diffie-Hellman (CDH) assumption. The cost 
for this high security is that the size of ciphertexts is much longer than the 
CS scheme (which is based on the decisional Diffie-Hellman assumption). 

In this paper, we show how to achieve CCA-security under the CDH 
assumption without increasing the size of ciphertexts. We also show a 
more efficient scheme under the hashed Diffie-Hellman assumption. 

Both of our schemes are based on a certain broadcast encryption (BE) 
scheme while the Cash-Kiltz-Shoup scheme is based on the Twin DH 
problem. Of independent interest, we also show a generic method of 
constructing CCA-secure PKE schemes from BE schemes. 

1 Introduction 

I. 1 Background 

Chosen-ciphertext security (CCA-security, for short) [3511 fij is considered as a 
standard notion of security for public key encryption (PKE) in practice. Further- 
more, this security also implies universally composable security El . So far, many 
CCA-secure PKE schemes have been proposed, both theoretical ones [Ml II filMb] 
and practical ones P 4 38 12 2b 10 1 25 22], and their security are proven under 
existence of enhanced trapdoor permutations (for theoretical schemes) or un- 
der various number theoretic assumptions (for practical schemes). Theoretical 
schemes pursue weaker assumptions and practical schemes pursue efficiency. 

One of the most important research topics in this field is to design CCA- 
secure PKE schemes with weaker assumptions and better efficiency. Cramer 
and Shoup showed the first practical PKE scheme under the decisional Diffie- 
Hellman (DDH) assumption. Kurosawa and Desmedt showed a more efficient 
scheme under the DDH assumption m 

However, there has been no (even theoretical) CCA-secure PKE scheme under 
the computational Diffie-Hellman (CDH) assumption except for a recent work 
by Cash, Kiltz, and Shoup 

1 We started our work independently of El In fact, the authors of U3 kindly cited 
an earlier version of our paper as an independent work. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 308 |325j 2008. 
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1.2 Our Contribution 

In this paper, we present a practical CCA-secure PKE scheme under the CDH 
assumption such that the size of a ciphertext is much smaller than that of the 
Cash-Kiltz-Shoup (CKS) scheme. Indeed, the ciphertext length of our scheme 
is the same as that of the Cramer-Shoup (CS) scheme (which is based on the 
DDH assumption). Specifically, ciphertext overhead of our CDH-based scheme is 
only three group elements for arbitrary plaintext length, while that of the CKS 
scheme is k/\ogk + 2 group elements where k is the security parameter. 

We also present a more efficient CCA-secure PKE scheme under the hashed 
Diffie-Hellman (HDH) assumption. This scheme is as efficient as the Kurosawa- 
Desmedt (KD) scheme j2S| in terms of both computational costs and data sizes 
while the HDH assumption is weaker than the DDH assumption]! 

Both of our schemes are based on the Naor-Pinkas broadcast encryption (BE) 
scheme while the CKS scheme is based on the Twin DH problem. Of indepen- 
dent interest, we show a generic method of transforming any selectively chosen- 
plaintext (CPA) secure verifiable BE scheme into a CCA-secure key encapsulation 
mechanism (KEM) with almost no cost, where we say that a BE scheme is verifi- 
able if any receiver can tell whether all receivers decrypt a given ciphertext to the 
identical result or not. 

Further, we show that almost all existing methods for achieving CCA-security, 
e.g. |Hill4J12j . can be explained by using verifiable BE schemes. It is also possible 
to construct a new PKE scheme based on this paradigm, for example, from 
the Boneh-Gentry- Waters (BGW) BE scheme jO]. Moreover, we can generically 
convert any CPA-secure verifiable BE into a CCA-secure BE with almost no cost. 
Our results imply that verifiable BE is a powerful tool to obtain CCA-security. 


1.3 Related Works 

Under Stronger Assumptions than CDH. After the KD scheme, several 
CCA-secure encryption schemes were constructed under stronger assumptions 
than the CDH assumption. The scheme of Boyen, Mei, and Waters B3 is based 
on the bilinear Diffie-Hellman (BDH) assumption. The scheme of Kiltz is 
based on the gap hashed Dffie- Heilman (GHDH) assumption. The scheme of 
Hofheinz and Kiltz m is based on the n-linear DDH assumption. 

KEM/DEM Framework. The KEM/DEM framework was formalized by 
Shoup m for the design of hybrid encryption schemes, and the CS hybrid en- 
cryption scheme was constructed. However, the KD scheme does not fit into this 
framework. To explain the KD scheme in a general framework, Abe, Gennaro, 
Kurosawa, and Shoup [T] established the Tag-KEM/DEM framework. Hofheinz 
and Kiltz M introduced the notion of Constrained CCA (CCCA) security of 
KEM. 

2 After an earlier version of this paper j2U, in the latest full- version of [Tilj . Cash, 
Kiltz, and Shoup pointed out that the Hofheinz-Kiltz scheme in m can be also 
proved to be secure under the HDH assumption. 
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How to Achieve CCA Security. Naor and Yung showed that a non-adaptively 
CCA-secure encryption scheme can be constructed from any semantically secure 
encryption m and non-interactive zero knowledge (NIZK) proof jlj. Dolev, 
Dwork, and Naor m and Sahai (201 improved this idea and presented adaptively 
CCA-secure constructions. However, it is not known if an NIZK proof can be con- 
structed from any semantically secure encryption scheme. (A partial answer to 
this question is given in rao 

Canetti, Halevi, and Katz d2| proposed another generic method such that 
a CCA-secure PKE scheme can be obtained from a selectively secure identity- 
based encryption (IBE) scheme |37l5j . Boneh and Katz 0 improved its efficiency. 
Kiltz PU discussed a more relaxed condition for achieving CCA-security. 

Broadcast Encryption. In the model of broadcast encryption (BE) schemes, 
there are multiple receivers. The sender broadcasts a ciphertext such that only 
privileged receivers can decrypt. Fiat and Naor EH proposed the first non-trivial 
construction of BE. Naor, Naor, and Lotspiech m presented a significantly more 
efficient scheme. Naor and Pinkas j20| proposed a public key BE scheme by using 
ElGamal-like construction, and Dodis and Fazio M improved it to be secure 
against adaptive adversaries as well as chosen-ciphertext adversaries. Boneh, 
Gentry, and Waters (Oj proposed the first fully collusion resistant (public key) 
BE scheme whose ciphertext and user decryption keys are of constant size. 

1.4 Organization 

Definitions are given in Sec. El Our main idea is described in Sec. 01 The proposed 
scheme under the CDH assumption is shown in Sec. 0] A more efficient scheme 
under the HDH assumption is presented in Sec. 01 A comparison with other 
PKE schemes is given in Sec. 01 Finally, we show a generic method to construct 
CCA-secure PKE schemes from verifiable BE in Sec. 0 

2 Definitions 

2.1 Key Encapsulation Mechanisms 

It is well-known that by combining a CCA-secure KEM and a CCA-secure data 
encryption mechanism (DEM), a CCA-secure PKE scheme is generically ob- 
tained OH , and furthermore, there exist some other flexible methods for hybrid 
encryption as well mza- It is also known that a CCA-secure DEM can be generi- 
cally constructed from any pseudorandom functions without redundancy |27l33j . 

A KEM consists of the following three algorithms: Setup(l fc ) takes as input 
the security parameter l k and outputs a decryption key dk and a public key PK. 
Encrypt (PA) takes as input a public key PK and outputs a pair (ip, K) where ip 
is a ciphertext and K £ K. is a data encryption key. Decrypt (dk, ip, PK) takes as 
input the decryption key dk, a ciphertext ip, and the public key PK, and outputs 
K £ K. which will be used for decrypting the DEM part of hybrid encryption. 
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We require that if ( dk,PK ) ■£- Setup(l fe ) and (ip,K) Encrypt ( PK ) then 

Decrypt (dk,ip,PK) = K. 

CCA-security of a KEM is defined using the following game between an attack 
algorithm A and a challenger. Both the challenger and A are given l k as input. 

Setup. The challenger runs Setup(l fc ) to obtain a decryption key dk and a 
public key PK. The challenger also runs algorithm Encrypt to obtain 
(ip*,K*) <— Encrypt (PK) where K* £ 1C. Next, the challenger picks a 
random b £ {0,1}. It sets Kq = K* and picks a random K\ £ 1C. It then 
gives the public key PK and the challenge ciphertext (ip*, Kb) to algorithm 
A. 

Query. Algorithm A adaptively issues decryption queries if>i, ..., ip qD . For query 
Vi (76 ip*), the challenger responds with Decrypt (dk, ipi, PK). 

Guess. Algorithm A outputs its guess b' £ {0, 1} for b and wins the game if 
b=b'. 

Let AdvKEMA denote the probability that A wins the game. 

Definition 1. We say that a KEM is (r, e, qn) CCA-secure if for all r-time algo- 
rithms A who make a total of qu decryption queries, we have that |AdvKEMA — 
1/2 1 < e. 

2.2 Number Theoretic Assumptions 

The CDH, HDH, and DDH Assumptions. Let G be a multiplicative group with 
prime order p. Then, the CDH problem on G is stated as follows. Let A be an 
algorithm, and we say that A has advantage e in solving the CDH problem on 
G if Pr[A(<ji, g a ,g®) = g a/3 ] > e, where the probability is over the random choice 
of generator g in G, the random choice of a and 3 in Z p , and the random bits 
consumed by A. 

Definition 2. We say that the (r, e)-CDH assumption holds in G if no r-time 
algorithm has advantage e in solving the CDH problem on G. 

The hashed Diffie-Hellman (HDH) problem on G and function h : G — > T> is 
stated as follows. Let A be an algorithm, and we say that A has advantage e in 
solving the HDH problem on G and h if 

1/2 • | Pr[A( ff , g a , /, h(g^)) = 0] - Pi[A(g, g a , /, T) = 0] | > e, 

where the probability is over the random choice of generator g in G, the random 
choice of a and (3 in Z p , the random choice of T £ V, and the random bits 
consumed by A. 

Definition 3. We say that the (r, e)-HDH assumption holds in G and h if no 
r-time algorithm has advantage e in solving the HDH problem on G and h. 
Especially, we say that the (r, e)-DDH assumption holds in G if (r, e)-HDH 
assumption holds in G and h, where h is the identity function. 
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Important Implications. It is important to note that the HDH assumption is 
strictly weaker than the DDH assumption for appropriately chosen h. If h is a 
key derivation function PEI, then the DDH assumption immediately implies the 
HDH assumption (but not vice versa). Furthermore, if h is a hardcore bit for 
the Diffie-Hellman key f 1 8191812?!] . then the CDH assumption is equivalent to 
the HDH assumption. Obviously, the CDH assumption is weaker than both the 
HDH and DDH assumptions. 

Hardcore Bits for the Diffie-Hellman Key. Let A be a r-time algorithm which 
has advantage e in solving the HDH problem on G and h : G — > {0, 1}. 

Definition 4. We say that function h : G — > {0, 1} is a (pi,p 2 ) hardcore bit 
function in G if there exists a p\ (r)-time algorithm B which for any given A, can 
solve the CDH problem with advantage pi(e) for some polynomials p\ and pi. 

2.3 Public Key Broadcast Encryption Schemes 

Model. Here, we review definitions for public key BE schemes. For simplicity, 
we define encryption schemes as key encapsulation mechanisms, and borrow the 
same notations as pj with some slight modifications. A BE scheme consists 
of the following three algorithms: Setup(l fe , n, t) takes as input the security 
parameter l fe , the number of receivers n, and the maximum number of revoked 
users t (t < n). It outputs n decryption keys d\, .... d„ and a public key PK. 
Encrypt(<S, PK) takes as input a subset S C |1, ..., n} with 5 > n — t, and a 
public key PK. It outputs a pair (ip, K) where ip is called the header and K £ 1C 
is a message encryption key. Let M be a message to be broadcast to the set S 
and let Cm be the encryption of M under the symmetric key K. The broadcast 
to users in S consists of (S, ip, Cm)- The pair ( S , ip) is often called the full header 
and Cm is often called the broadcast body. Decrypt(S, i, di, ip, PK) takes as 
input a subset S C {1, ..., n}, a user index i £ {1, ..., n} and the decryption key 
di for user i, a header ip, and the public key PK. If i £ S and \S\ > n — t, then 
the algorithm outputs the message encryption key K £ 1C. The key K can then 
be used to decrypt the broadcast body Cm and obtain the message body M. 

As usual, we require that the scheme be correct, namely that for all S C 
{l,...,n} and all i £ S, if ((di, ...,d n ), PK) •£- Setup(l fe , n,t) and ( ip,K ) •£- 
Encrypt (S, PK) then Decrypt (S, i, d u ip, PK) = K. 

CCA Security. We define CCA-security of a BE scheme against a static adver- 
sary. Security is defined using the following game between an attack algorithm A 
and a challenger. Both the challenger and A are given l k , n and t, the total num- 
ber of potential users and the maximum number of revoked users, respectively, 
as inputs. 

Init. Algorithm A begins by outputting a set S* C {1, ..., n} of receivers that A 
wants to attack, where |«S* | > n — t. 

Setup. The challenger runs Setup(l fc , n, t) to obtain decryption keys d \, . . . , d n 
and a public key PK. The challenger also runs algorithm Encrypt to obtain 
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(ip*, K*) Encrypt (5*, PK) where K* £ 1C. Next, the challenger picks a 
random b £ {0,1}. It sets Kq = K* and picks a random Ki £ 1C. It then 
gives (ip*, Kb) to algorithm A. 

Query. Algorithm A adaptively issues decryption queries q\,...,qo where a de- 
cryption query consists of the triple (u,S,ip) where ip ^ ip*, S C S* and 
u £ S. The challenger responds with K (or _L) = Decrypt (N, u, d u , ip, PK). 

Guess. Algorithm A outputs its guess b' for b and wins the game if b = b' . 

Let AdvBrA : „,t denote the probability that A wins the game when the challenger 
is given n and t. 

Definition 5. We say that a broadcast encryption scheme is (r, e, n, t, qn) CCA- 
secure if for all r-time algorithms A who make a total of qn decryption queries, we 
have that |AdvBrA, n ,t — 1/2| < e. Especially, we say that a broadcast encryption 
scheme is (r, e, n, t) semantically secure if it is (r, e, n, t, 0) CCA-secure. 

Verifiability. For achieving CCA-security, we need an important property for 
underlying BE, which we call verifiability. Roughly speaking, we say that a BE 
scheme has verifiability if a valid receiver of a broadcasted message can verify if 
his decryption result is the same as that for any other receiver. We can define two 
flavors of verifiability: public verifiability and private verifiability. Their difference 
is that in a publicly verifiable BE scheme, a receiver can verify equality of keys 
without using his decryption key, and on the other hand, it is necessary in a 
privately verifiable scheme. 

For public verifiability, we define adversary A’s advantage AdvVfy Ant as 
AdvVfy Ant 

= Pr[3i,j 6 <S*, Decrypt(S*, i, di, ip*, PK) ^ Decrypt (S*,j,dj,ip*,PK)\ 
((di, ...,d n ),PK) Setup(l fc ,n, f); (S*,ip*) £ A((d 1} ...,d n ),PK)\. 

Definition 6. We say that a broadcast encryption scheme is (r, e, n, t) publicly 
verifiable if for all r-time algorithms A, we have that AdvVfy A nt < e. 

We can also define private verifiability in a similar manner, and its formal defi- 
nition is given in the full version of this paper j?Ij . 

2.4 Other Cryptographic Tools 

Target Collision Resistant Hash Functions. Let TCR : X — ► y be a hash function 
(we individually define the range and domain of TCR for each scheme), A be an 
algorithm, and A’s advantage AdvTCRA be AdvTCRA = Pr [TCR (a/) = TCR(x) 6 
y A x' + x\ x £ A; x' A(x)]. 

Definition 7. We say that TCR is a (t, e) target collision resistant hash function 
if for all r-time algorithms A, we have that AdvTCRA < e. 


314 


G. Hanaoka and K. Kurosawa 


One-Time Signatures. A signature scheme consists of the following three al- 
gorithms: GenflA) takes as input the security parameter l fc , and outputs a 
verification key vk and a signing key sk. Sign(sfc, m ) takes as input a signing 
key sk and a message m, and outputs a signature a. Verify (vk,m,a) takes as 
input a verification key vk, a message m, and a signature a, and outputs a bit 
b e {0, 1}. We require that for all sk, all m in the message space, and all a 
output by Sign(.sfc, to), we have Verify (vk,m,a) = 1. 

Security is defined using the following game between an attack algorithm A 
and a challenger. Both the challenger and A are given l k as input. 

Setup. The challenger runs Gen(l fc ) to obtain vk and sk. It gives A the verifi- 
cation key vk. 

Query. Algorithm A may issue at most one query m. The challenger responds 
with a <— Sign(sfc,m). 

Forge. Algorithm A outputs ( m*,a *) such that ( m*,a *) ^ (m,a). 

Let AdvOTSA denote the probability that Verify (-c/c.m*. a*) = 1. 

Definition 8. We say that a signature scheme is (t, e) strongly unforgeable if 
for all r-time algorithms A, we have that AdvOTSA < e. 


3 Toward Efficient CCA-Secure Scheme under CDH 

The Naor-Pinkas BE scheme m is one-way under the CDH assumption. In this 
section, we construct a verifiable BE scheme from the Naor-Pinkas BE scheme, 
where we say that a BE scheme is verifiable if any receiver can tell whether 
all receivers decrypt a given ciphertext to the identical result or not. The main 
difficulty in this paper is how to add verifiability to the Naor-Pinkas scheme. 

Our CCA-secure PKE scheme under the CDH assumption is obtained from 
this variant of the Naor-Pinkas BE scheme. See Sec. Qfor details on this obser- 
vation. 

3.1 The Naor-Pinkas Broadcast Encryption Scheme 

The Naor-Pinkas scheme m, which was constructed based on |2j, is as follows. 
Let G be a multiplicative group with prime order p, and g G G be a generator. 
Suppose that there are at most t potential revoked users. 

In the setup phase, the center chooses a polynomial f(x) = J2o<i<t a i x% 
over GF(p) randomly, and computes t/,; = g ai for 0 < i < t. The public key 
is PK = (G, g, 2 / 0 , • Vt)- The center keeps f(x) as the master key, and gives 
= f(i) to each user i 1 ..... p — 1 as his decryption key. 

To revoke users i \, ..., it £ Z p , the sender generates a ciphertext 
ip = •••> an d a key K = yg where r •£- Z p . Notice that 

gf® can be computed as Y[o< : j<t V’j f° r an y * G {1, .... p — 1}. On receiving 
ip = (Cq, C't), user u 0 {A , ..., i t } computes C u = Cq u and recovers the key 
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as K = where A(a;) is the Lagrange coefficient such that 

M x ) = * # - (* 7 ~ x ) 1 over 

3.2 Verifiability 

As we mentioned, the main difficulty in this paper is how to add verifiability 
to the Naor-Pinkas scheme. Here we give a solution. Consider a modification 
of the Naor-Pinkas scheme such that user i is given ( f(i),f(rnd),rnd ) as his 
decryption key, where rnd <— Z p . We note that a legitimate user i can decrypt 
a ciphertext in two different ways according to two different keys, i.e. f(i) and 
f(rnd). If these decryption results are not identical, then the user can detect 
that the ciphertext is in an invalid form. Notice that since rnd is random and 
not known to other users, it is difficult to generate an invalid ciphertext whose 
decryption results under f(i) and f(rnd) are identical. 

Unfortunately, the above idea is faulty. Namely, even if user i is revoked 
and f(i) does not work for decryption, he still has f(rnd) and can decrypt 
a ciphertext by using it. Hence, the modified scheme is not secure any more. 
Therefore, we further modify the Naor-Pinkas scheme as follows: For at most 
t revoked users, in the setup phase, a polynomial f(x) = )Co<i< 2 t+i cax 1 is 
generated in the same manner as the original Naor-Pinkas scheme except that 
its degree is changed to be 2t+ 1. The public key is PK = (G, g, j/o, 

We assume that a user i has two unique identities i and i, where we denote 
i = (i, i) e {1, ..., p— l} 2 . The center keeps f(x) as the master key, and for user i = 
(i, i) e [l,...,p— l} 2 he publishes di = (f(i),f(i),f(rnd),rnd) as i’s decryption 
key, where rnd <— Z p . Assuming that users ii(= (ii, ii)), ---, *t(= (it, it)) are 
revoked, the sender generates ip = ( g r , , ..., •••, (g^'^Y) 

and K = y g where r <— Z p . 

On receiving ip = (Co, ..., C^t), a user i = (i,i)(^ {ii, ...,**}) computes 
Ci = Cq (i) , C\ = Cg , and C rn d = C^ rnd \ We notice that ip can be de- 
crypted by using any two of Ci, C, and C rn ,i with the Lagrange interpo- 
lation (for example, by using (CpCi), the session key is recovered as K = 
Cj A (^Of($ n i<J<t (C A ^>cS'l>) where A(a:) is the Lagrange coefficient such that 
A(x) = rii'£{i,i,ii,...,i t ,ii,...,i f }\{x} — a: ) _1 over ^p)- Then, user i carries out 

decryption in three different ways according to the three different choices of 
(Ci, C), (Ci, C rn d), and (C, C rn d)- Then, user i can be convinced of the equality 
of decryption results for all legitimate subscribers if i’s three decryption results 
are identical. Furthermore, when i is revoked, he cannot decrypt a ciphertext 
at all even though he still has f(rnd). Now, we obtain a new verifiable BE 
scheme from Naor-Pinkas BE, and are ready to convert it into a CCA-secure 
PKE scheme. 


4 Efficient CCA-Secure KEM from CDH 

In this section, we show an efficient CCA-secure KEM under the CDH assump- 
tion such that the size of ciphertexts is the same as that of the CS scheme. Our 
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KEM is obtained from a verifiable BE scheme which was shown in Sec. 0 Let G 
be a multiplicative group with prime order p, and g £ G be a generator. Then, 
the construction of the scheme is as follows: 

Setup(l fc ): Generate a random polynomial f(x ) = ao + a\x + ■ ■ ■ + a.k+ 2 X k+2 
over Z p , and compute yi = g ,H for 0 < i < k + 2. The decryption key 
is f(x), and the public key is PK = (G, g, yo, yi , ..., yk+ 2 , TCRo,TCRi, h), 
where TCR& : G — > Sb (6 = 0, 1) are target collision resistant hash functions 
such that <So U 5i C Z*, <Sq li = 0, and h : G — > {0, 1} is a hardcore bit 
function for the Diffie-Hellman key in GrQ 
Encrypt (PK): Pick a random r <— Z p , and compute 

= {9 r ,9 rf( - l) ,9 r ' n ' ) ), K = (h(yo)\\h(y[)\\...\\h(y r k _ 1 )) 

where i = TCRo(s ,r ) and i = TCRi (<?’’). The final output is (? p,K). (Notice 
that one can easily compute gP' x '> as gP x> = Ho<i<ifc +2 Vi' ■) 

Decrypt (dk, ip, PK): For a ciphertext ip = (Go, C\ . C 2 ), check whether 
(Gi,G 2 ) = (Gq®, Gq®), where i = TCR 0 (G 0 ) and i = TCRi(G 0 ). If not, 
output _L. Otherwise, output K = (/i(Go 0 )||/i(Go 1 )||...||h(Go' t_1 )). 

Theorem 1. Let G be a multiplicative group with prime order p, TCRo and 
TCRi be (t, e tC r) target collision resistant hash functions, and h be a (pi,p 2 ) 
hardcore bit hmction for the Diffie-Hellman key in G. Then, the above scheme 
is (Pi 1 ( T ) ~ °(P 1 1 ( T ) ) . k ■ P 2 1 ( e cdh) + 2e tcr + q D (2 k/ {p - 3) + 1/ (p - k - 2) ) , q D ) 
CCA-secure under the (r, e c dh) CDH assumption on G. 

Proof. Assume that for challenge ciphertext (g^,g^ dOD^A/C 1 *)) such that 
i* = TCRo^^) and i* = TCRi(p^), there exists an adversary A' which dis- 
tinguishes (h(po)ll^(2/i)ll---l|/ l (yfc-i)) from a random A-bit string. Then, by a 
standard hybrid argument, there also exists another adversary A which for some 
j such that 0 < j < k — 1 distinguishes 

(%o ) I \HVi ) 1 1 ■ • 1 1 ■ HVj ) 1 1 randorrik-j-i ) 




(Kyo)\\Kyi)\\--MKyj-i)\\ ran dorn k -j) 

where random a denotes an Gbit random string. 

Now, assume we are given such an adversary A which distinguishes these two 
values with running time r, advantage e, and qn decryption queries. We use A 
to construct another adversary B which for given ( g , g a , r/' 3 ) distinguishes h(g a > 3 ) 
from a random bit. Define adversary B as follows: 

3 h is a random string R if it is the Goldreich-Levin (GL) bit fTTT where the size of 
R is equal to that of a group element. See also Appendix of 0 for the GL bit of the 
Diffie-Hellman keys. 
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1. For given {g,g a ,g^), B picks target collision resistant hash functions TCRo 
and TCRi, and computes i* = TCRo^) and i* = TCRi^). 

2 . B sets y : j = g a , and picks distinct randoms rndj, ..., rndk-i from Z*\{i*, i*}. 
B also picks randoms tq*, u,*, ao, ..., a,j- 1, and Uj, ...,Uk~i from Z p . 

3 . B calculates yi = 9 "' for 0 < l < j — 1 . 

4 . Let f(x) = Y^i=o be a polynomial over Z p such that aj = a, /( i*) = 
iH*, /('*) = u <*, an d f{rndj) = Uj , ..., f(rndk~i) = Uk-i- Then, by using 
the Lagrange interpolation, B calculates yj+i, ..., j/k+z such that g^ x> = 
rio<j<fc+2 Vj ■ Notice that yi = g ai holds for 0 < l < k + 2 . 

5 . B inputs public key PK = (G,g, yo, y -\. .... i/fc+2, T CRq, TCRi , h) and chal- 
lenge ciphertext ip* = (g@, {g ^) Ui * , {g^) u '*) and 

K* = (h((/)“°)||h((/)“ 1 )||...||h((/)^- 1 )|| 7 ||random fc _ i _ 1 ) 

to A where 7 is h(g a P) or a random bit. 

6. When A makes decryption query ip = (Co, Ci, C 2 ), B proceeds as follows: 

(a) If Co = g 13 , then B responds _L. 

(b) If Co ^ g 13 and TCR&(Co) € {i*, i*, rndj , ..., rndk-2, rndk-i} for b = 0 or 
1 , then B aborts and outputs a random bit. 

(c) If Co ^ g 13 and TCRb(Co) ^ {i*, i*, rndj , ..., rndk-2, rndk-i} for both 
6 = 0 and 1 , B computes Cq 1 *, Cq'* , Cq 3 , ..., Cq*’ - 2 , and Cg* -1 . Let 
TCRo(Co) = i and TCRi(Co) = i, and fi, f 2 , and fs be polynomials over 
Z p with degree k + 2 whose coefficient for x l term is ai for 0 < l < j — 1 , 
such that 

(/i(i),/i(i),/i(i*),/i(i*),/i(r-ndj+i),...,/i(rn 4 -i)) 

= ( lo Sc 0 - lo Sc 0 C 2 ,Ui*,Ui*,U j+1 ,...,Uk-l) 

(/2 (i) , /2(i) , /2 (i*) , /2 (rndj) , .. .. . , / 2 (rn 4 -i )) 

= ( lo Sc 0 Ci - lo Sc 0 C 2 ,Ui*,Uj,...,u k -i) 

(/s (i) , /s(i) , h ('*) , h ( rndj f 3 ( rnd k _ 1 )) 

= (log Co Ci,log Co C2,U;*,Uj, ...,u k - 1). 

Then, B calculates Co“ 1,! , Co“ 2, \ Co a3,i by using the Lagrange interpola- 
tion where aij, 02,;. and a 31 denote the coefficients of x l term of /1, /2, 
and /:5 for j <1 < k — 1 , respectively, and responds 

K = (/j.(C'^ 0 )||...||/j.(C'o J - 1 )||^(C'o 1 ’ J )||...||/i(C'o 1 ’ fe_1 )) 

if Co ai,i = Co a ‘ 1 ' i = Co a3,i , or H® otherwise. 

7 . Finally, A outputs a bit 6 as his guess, and B outputs the same bit 6 as his 
own guess for h(g al3 ). 

Let Win denote the event that A’s guess is correct in the real world, Abort denote 
the event that A submits a ciphertext ip = (Co,Ci,C 2 ) such that Co ^ g@ and 
TCRft(Co) e {i*,\*,rndj, ..., rndk-2, rndk-i} for 6 = 0 or 1, and Invalid denote 
the event that A submits a ciphertext ip = (Co,Ci,C 2 ) such that B does not 
abort, C 0 ai ’ j = C 0 a2 ’ j = C 0 a3 ’C but (Ci,C 2 ) ± (C^ (i) , C^ (i) ). 
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Then, B’s advantage for guessing h(g a/} ) is estimated as follows: 

\ • |Pr[B (g,g a ,g^h(g^)) = 0] - Pr[B (g,g a ,g 0 ,T) = 0]| 

> | Pr[Win|Abort A Invalid] Pr[Abort A Invalid] — 

> | Pr[Win] - Pr [Abort] - Pr[lnvalid] - ^|. 

Now, we prove following lemmas. 

Lemma 1. Pr [Abort] < 2e tcr + 

Proof. Assume we are given an adversary A with Pr [Abort] = pa ■ Then, we can 
construct another adversary B' which for given C *— G, finds C'(^ C) € G such 
that TCRb(C') = TCRf,(C') for b = 0 or 1 as follows: For given G, B' generates 
decryption key f(x) and public key PK = (G, g,y 0 ,yi,..., yk+ 2 , TCRo, TCRi, h), 
and computes challenge ciphertext ip* = (G, C Ui * , C Ui *), where u;* = f( i*), 
Uj* = /( i*), i* = TCRo(C'), and i* = T CRi (C). B' also picks distinct randoms 
rndj, ..., rndk - i from Z*\{i*, i*}, and gives PK and (ip*, K*) to A, where K* is 
a correct key under f(x) or a random element of G with probability 1/2. 

Since rndj, ...,rndk ~ i are information-theoretically hidden to A, for a query 
ip = (Co, Ci, G 2 ), TCRo(C'o) or TCRi(Co) € {rndj, ...,rndk- 2 ,rndk-i} happens 
with probability at most 2 (k — j)/(p — 3). Therefore, the probability that A 
submits a ciphertext ip = (Co, C\, Cf) (Co ^ C) such that TCRo(Co) = I* or 
TCRi(Co) = i* is at least pa — 2qo(k — j)/(p — 3). B’ outputs such Go as C' . 

By using B' as it is, we immediately have an algorithm B" which for given 
C G, finds C"(^ C) e G such that TCRo(G") = TCRo(G) with probability 
at least pa — 2qo(k — j)j (p — 3) — pi , where pi is the probability that B' outputs 
C' such that TCRi(G / ) = TCRi(G). Since pi < e tcr , B"’s advantage is at least 
PA-2qD(k-j)/(p-3)-e tC r ■ Hence, e tcr > p A ~2q D (k - j)/(p-3) - e tcr , and 
therefore, we have 2e tcr + 2 qn (k — j) /(p — 3) > pa- □ 

Lemma 2. Pr [Invalid] < 

Proof. Let fo(x) = J2o<i<j-i a i xl ’ an< ^ fi( x )> f 2 ( x )> an d fo(x) be polynomials 
such that fi(x) = fo(x) + x j ■ f[(x) for l = 1, 2,3. Let f(x) be a polynomial such 
that f(x) = fo(x) + x j ■ f(x). Suppose ip = (Co,Ci,C 2 ) is a ciphertext such 
that B does not abort, C 0 K(0) = G 0 ^ (0) = G 0 ^ (0) , but (Gi,G 2 ) ^ (G^ (i) , G 0 /(i) ). 
Then, we notice that /{ and f 2 which are polynomials with degree k — j + 2 have 
k — j + 3 intersections, and consequently they have to be identical. Similarly, we 
have that f[= f 2 = fs- This implies that for [Invalid = true], A has to choose Ci 
and C 2 (without knowing rndj, ..., rndk- 1 ) such that /{ (with degree k — j + 2) 
satisfies 

1- UiWJttfhflWJiO*)’ •••» fiimdk- 1 )) 

= ((log Co C 1 - f 0 (i)) ■ i~ j , (log Co G 2 - / 0 (i)) • \-i,f(i*),f(i*), 

f(rndj),...,f'(rndk-i)), 
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2- fi + /'• 

Since f[ and f have at most k — j + 2 intersections and k — j + 1 of them 
are (i*,/'(i*)), (i*,/'(i*)), (rndj+i, f(rndj + t)), ...,(rnd k -i, f(rndk-i)), there 
is only one remained intersection which must be (rnd 3 , f'(rndj ) ). Therefore, 
[Invalid = true] happens only when A correctly guesses the value of rndj (even 
if A is given rndj+i , rndk- 1 )- Hence, for any invalid query ip, the probability 
that B does not respond “_L” is at most l/(p — k + j — 2)(< l/(p — k — 2)). □ 

A’s advantage is estimated as at least 1/k times A 7 ’s advantage due to the hybrid 
argument. □ 

5 Efficient CCCA-Secure KEM from HDH 

In this section, based on the strategy in Sec. 0 we propose another KEM which 
is CCCA-secure m under the HDH assumption. This scheme is as efficient as 
the KD scheme j2S| with a weaker assumption. As shown in 1221, a CCA-secure 
PKE scheme can be constructed by combining any CCCA-secure KEM and 
authenticated symmetric key encryption 0 as a DEM. Let G be a multiplicative 
group with prime order p, and g £ G be a generator. Then, the construction of 
our CCCA-secure KEM is as follows: 

Setup(l fc ): Generate a random polynomial f(x) = a 0 + a\x + a 2 a.' 2 over Z p , 
and compute y 3 = g aj for 0 < j < 2. The decryption key is f(x), and the 
public key is PK = (G,g, yo, y\, y?., TCR, h), where TCR : G — > Z* is a target 
collision resistant hash function and h : G — ► {0, 1} V is a hash function. 
Encrypt {PK) : Pick a random r •— Z p , and compute ip = (g r , g r '^ 1 ' 1 ) and 
K = h(yl), where i = TCR(g r ). The final output is (ip, K). (Notice that one 
can easily compute a s gtW = ■) 

Decrypt (dk, ip, PK): For a ciphertext ip = (Co, C\), check whether C\ = C^ l \ 
where i = TCR(Co). If not, output T. Otherwise, output K = /i(Cq°). 

The above scheme can be proved to be CCCA-secure, and its security is formally 
addressed in the full version of this paper I2H 

6 Comparison 

Table 0 shows a comparison of our schemes with other CCA-secure schemes, i.e. 
Cramer-Shoup (CS) f 1 4I3X| . Kurosawa-Desmedt (KD) |2fij . Boyen-Mei- Waters 
(BMW) m3, Kiltz PS|, Cash-Kiltz-Shoup (CKS) [H3, and Hofheinz-Kiltz (HK) 
Pg. In the comparison, we utihze a redundancy-free CCA-secure DEM |‘2()l3Mj 
for constructing a CCA-secure hybrid encryption scheme from a CCA-secure 
KEM. 

As seen in Table 0 our proposed scheme in Sec. ^yields both provable security 
under the CDH assumption and short ciphertext length which is comparable 
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Table 1 . Efficiency comparison for CCA-secure PKE schemes. Some figures are bor- 
rowed from dig. For efficiency, we count the number of pairings, multi(or sequential- 
exponentiations |3U, regular-exponentiations, and other group operations (“ops” de- 
notes group operations) used for encryption and decryption. All symmetric operations 
(such as hash function/MAC/KDF) are ignored. Ciphertext overhead represents the 
difference between ciphertext and plaintext length, and |g| and |mac| are the length of a 
group element and an authentication tag, respectively. In the table, we let k' = k/ log k 
where k is the security parameter, i.e. DEM-key length. 



Security 

Ciphertext 

Encryptic 

» — 1 

Decryptic 

>n 


Assumption 

Overhead 

#pairings + i 


reguiar]-exp 

1 + i 

tops) 

(IS 1 1 41 

DDH 

3|sl 

0+ [1,3 


0 + 

1. 1 


ku |2£1 

DDH 

2\g\ + \mac\ 

0 + [1,2 


0 + 

1,0 


BMW UU 

BDH 

2|sl 

0+ [1,2 


1 + 

0, 1 


Kiltz 1^51 

GHDH 

2l£l 

0+ [1,2 


0 + 

1,0 


cks E3 

CDH 

(k'+SQlsI 

0 + [fc' + l,fc 

+ 1] 

0 + [P,0] 

HUH 

51sl 

0 + [2, 2 


0+1 

[RT5] 

HK t PH 

HDH 

2| S | + |mac| 

0 + [1,2 


0 + [1,0] 

Ours m 

CDH 

3| S | 

0+ [2*,fc' + 1] 

0+[P,0] 

Ours 33 

HDH 

2\g\ + \mac\ 

0 + [1, 2J 

0 + 

11,0] 

Ours HY.ai 


2|sl 

o + [0,3] + e 

3 + 10, 

■ 0j+£ 


t A slight modification by H3 is applied. 

* Relatively more expensive computation is needed for one exponentiation. 


to other practical schemes. Comparing with the CDH-based CKS scheme, our 
scheme in Sec. 0|is more efficient, and especially, the ciphertext overhead of our 
scheme, i.e. three group elements, is much shorter than that of the CKS scheme, 
i.e. k/logk + 2 group elements, since k/logk ~ 18 for 128-bit security. In the 
comparison, we assume that log k hardcore bits can be extracted from a single 
DH key |IEJ. Furthermore, the ciphertext overhead of our scheme is the same as 
that of the CS scheme. Our scheme in Sec. 0is as efficient as the KD scheme 
with a weaker underlying assumption. The Hofheinz-Kiltz scheme j32j (with a 
modification by [Qj) has almost the same property as ours. (See also the footnote 
in Sec. |Q) 


7 CCA- Security from BE with Verifiability 

In this section, we observe that it is possible to construct a CCA-secure PKE 
scheme from an arbitrary verifiable BE scheme, and that security of many exist- 
ing CCA-secure PKE schemes can also be explained from this viewpoint. This 
observation implies that one of promising approaches for achieving CCA-security 
is to concentrate on designing verifiable BE schemes. In fact, constructions of 
our proposed schemes are based on this approach. 

7.1 The Generic Conversion 

Given a verifiable BE scheme II' = (Setup', Encrypt', Decrypt') which is 
CPA-secure against selective adversaries, we construct a CCA-secure KEM 
II = (Setup, Encrypt, Decrypt). In the construction, we use a strong 
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one-time signature scheme E = (Gen, Sign, Verify) in which the verification 
key generated by Gen(l fc ) has length k. We assume that the maximum number 
of potential users in 77' is n, and a sender can revoke t users where there exists an 
injective mapping (or a target collision resistant hash function) INJ : {0, l} k — » V 
and V is the set of all subsets <S C {X, ..., n} with \S\ = n — t. Notice that for ex- 
istence of such an injective mapping, it is necessary that n C t > 2 fe (for example, 
(n,t) = (2k, k) ). The construction of 77 is as follows: 

Setup(l fe ): Choose n and t (which is a possible parameter choice for II') such 
that n Ct > 2 fc . Rrm Setup'(l fc ,n, t) to obtain (di, ...,d n , PK), and pick an 
injective mapping INJ : {0, l} k — > V. The decryption key is dk = (d \ , ..., d n ) 
and t he pu blic key is PK = (PK, INJ). 

Encrypt (PK): Rrm Gen(l fc ) to obtain verification key vk and signing key sk 
(with \vk\ = k), and compute <S„fc = INJ(w&;), (ip, K) «— Encrypt' (S v k, PK) 
and a <— Sign (sk,ip). The final output is (( ip,vk,a),K ). 

Decrypt (dk, ip, PK): For a ciphertext (ip, vk, a), check whether 
Verify (vk,ip,a) = 1. If not, output J_. Otherwise, compute S v k = INJ(nfc) 
and output K <— Decrypt' (<S„fc, i, di,ip, PK) where i G S v y-. 

CCA-security of the above construction can be proven in a similar manner to 
m We give an intuitive explanation for the security. Let A be an algorithm 
which can break CCA-security of 77. Then, it is possible to construct another 
algorithm B which can break 77' by using A as follows: B runs (vk*,sk*) <— 
Gen(l fc ), and commits S* = INJ(i7.:*) as the subset of users which will be 
attacked. For given public key PK of 77', B passes (PK, INJ) to A as a public 
key of 77. When A submits decryption query (ip, vk, a), B responds to it by simply 
decrypting the ciphertext with decryption key dy such that i G INJ(ufc)\<S* C 
{l,...,n}. We note that there always exists at least one such a decryption key 
unless vk = vk*, and vk ^ vk* holds with an overwhelming probability if a is a 
valid signature. Let (ip*, K*) be a challenge ciphertext of 77' from the challenger. 
Then, B gives ((ip*,vk*,a*),K*) to A as a challenge ciphertext of 77 where 
a* Sign (sk*,ip*). A formal security proof is given in the full version of this 
paper Ell- 

Theorem 2. If 77' is a (T,e cpa ,n,t) semantically secure and (t, e v f y ,n, t) pub- 
licly verifiable broadcast encryption scheme such that n Ct > 2 k , and E 
is a (r,e u f) strongly unforgeable one-time signature scheme, then 77 is a 
(t — o(t), e cpa + e v f v + \e u f, qn) CCA-secure key encapsulation mechanism. 

A similar result can also be obtained from privately verifiable BE schemes. 

7.2 Remarks 

We notice that the above generic conversion is identical to the Canetti-Halevi- 
Katz (CHK) paradigm [12! except that the underlying primitive of CHK, i.e. 
IBE, is replaced with verifiable BE in our construction. Kiltz m also showed 
that IBE is not always necessary for CHK and a weaker primitive which is called 
tag-based encryption (TBE) j2H| is sufficient, and demonstrated to construct a 
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Table 2. Relation among broadcast encryption and public key encryption schemes. 
The column “(n, t)” denotes a possible and typical parameter setting for each under- 
lying broadcast encryption scheme, and poly(fc) and exp(fc) denote polynomial and 
exponential functions for the security parameter k, respectively. For verifiability, re- 
lated cryptographic tools are described, and means that the underlying broadcast 
encryption has verifiability as it is. 


BE Scheme 

( n,t) 

Verifiability 


PKE Scheme 

Trivial BE 

(poly(fc), n/2) 

NIZK 


DDN HfSI 

Naor-Pinkas EJ 

(exp(fc), 1) 

DDH 

a variant ot GS |H| 

GHDH 

KIETBSI 

Sec. 13.21 

Ours 

IBE 

(exp(fc), n — 1) 

V 

tJHK 1121 

BGW 0 

(poly(fc), n/2) 

V 

Ours ^ 


concrete TBE scheme without using IBE-related techniques. There are also other 
CCA-secure schemes whose security can be explained via the TBE framework, 
e.g. [ 1 411 1 12f)| . Our proposed method is a generic construction of TBE from BE 
with verifiability. 

Many existing CCA-secure PKE schemes can be explained via our observation 
in Sec. 17.11 with different underlying BE schemes, and relations among existing 
BE and CCA-secure PKE schemes are summarized in Table |21 We give more 
detailed explanations for this in the full version of this paper PH- 

7.3 Another New CCA-Secure KEM from Boneh-Gentry- Waters 

Based on the proposed methodology, we can construct yet another new practical 
CCA-secure KEM from the BGW BE scheme (SJ ■ This can be a further evidence 
that BE with verifiability is a powerful tool for constructing CCA-secure PKE. 
The proposed scheme yields tight security reduction to the 27-BDHE problem 0 
for relatively small l, short ciphertexts and short decryption keys. The concrete 
construction of the scheme is as follows: Let Gi and G 2 be multiplicative cyclic 
groups with prime order p, and e : Gi X Gi -> G 2 be a bilinear mapping [5|. 
Setup(l fc ) chooses t G N such that 2 e.Ce. > 2 k , and picks a random generator g G 
Gi and random a, 7 G Z p . It also generates g\, .... g^. v, and Z where g t = 
v = g 1 , and Z = e(g 2 i+i, g). The decryption key is dk = g c,2t+ ' , and the public 
key is PK = (g, gi , ..., 5 ^, g 2 e+ 2 , gw, v, Z, TCR), where TCR : Gi — > V is a 
target collision resistant hash function and V = {*S|<S C {1, ...,2£},\S\ = £}. 
Encrypt (PK) picks a random r G Z p , sets K = Z r G G 2 , computes 
S = TCR(( 7 r ), and outputs (ip,K) where ip = ( g r ,(v ■ Hj eS g 2 e+i-j) r ) £ Gf. 
For ciphertext ip = (Co, C\), Decrypt (dA;, ip, PK) computes S = TCR(Co), and 
checks whether e(g, Ci) = e(v ■ Idjes 92 i+i-j, Co). It outputs “_L” if it is invalid, 
or K = e(dk, Co) otherwise. Security of this scheme can be proven by a straight- 
forward combination of the proofs of Theorem |5] of this paper and Theorem 3.1 
of ©. Unfortunately, this scheme is not very advantageous to other schemes, but 
it is still comparably efficient to other practical schemes (see Table GJ . 
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7.4 A Generic Construction of CCA-Secure Broadcast Encryption 

By using our methodology, it is also generically possible to construct a CCA- 
secure BE scheme from CPA-secure one with public verifiability. The conversion 
is fairly simple, and the resulting CCA-secure scheme can be practical. When 
applying this to the BGW BE scheme, we can have a new CCA-secure BE 
scheme with verifiability whose computational cost is slightly better than the 
previous scheme j0| ■ More detailed explanation is given in the full version of this 

paper 823 - 
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Abstract. This paper introduces fast algorithms for performing group 
operations on twisted Edwards curves, pushing the recent speed limits of 
Elliptic Curve Cryptography (ECC) forward in a wide range of applica- 
tions. Notably, the new addition algorithm usesQsM for suitably selected 
curve constants. In comparison, the fastest point addition algorithms for 
(twisted) Edwards curves stated in the literature use 9M + IS. It is also 
shown that the new addition algorithm can be implemented with four 
processors dropping the effective cost to 2M. This implies an effective 
speed increase by the full factor of 4 over the sequential case. Our re- 
sults allow faster implementation of elliptic curve scalar multiplication. 

In addition, the new point addition algorithm can be used to provide 
a natural protection from side channel attacks based on simple power 
analysis (SPA). 

Keywords: Efficient elliptic curve arithmetic, unified addition, side 
channel attack, SPA. 

1 Introduction 

Edwards curves are drawing increasing attention with their low cost and memory 
friendly arithmetic in cryptographic applications. Recently, there has been a 
rapid development of Edwards curves and their use in cryptology. An outline of 
the previous work that closely relates to twisted Edwards curves is as follows. 

— Building on the historical results of Euler and Gauss, Edwards introduced 
a normal form for elliptic curves and stated the addition law in m These 
curves are defined by x 1 2 + y 2 = c 2 + c 2 x 2 y 2 . 

— Bernstein and Lange introduced a more general version of these curves de- 
fined by x? + y 2 = c 2 (l + dx 2 y 2 ) or simply x 2 + y 2 = 1 + dx 2 y 2 together 
with the first algorithms for computing the group operations on projective 
coordinates in j^j. For instance, the addition costs 10M + IS + ID with 
c—l. Here, and in the rest of this paper, multiplication by a curve constant 
is denoted by D. With the definitions in jSj, these curves are today known 
as the Edwards curves. 

— Bernstein and Lange introduced the inverted Edwards coordinates in P 
which reduce the cost for the group operations on Edwards curves. For in- 
stance, the addition costs 9M + IS + ID. 

1 M: Field multiplication, S: Field squaring, I: Field inversion. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 3261343] 2008. 
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— Bernstein, Birkner, Joye, Lange, and Peters introduced twisted Edwards 
curves ax 2 + y 2 = 1 + dx 2 y 2 in PJ, a generalization of Edwards curves. 

In this paper, the speed of the arithmetic of twisted Edwards curves is in- 
creased by a suitable point representation. The new system is called extended 
twisted Edwards coordinates which adds an auxiliary coordinate to twisted Ed- 
wards coordinates. Despite the computational overhead of the additional coordi- 
nate, we develop faster ways of performing point addition since the new formulae 
are composed of polynomial expressions with lower total degrees. We show that 
the increase in the number of coordinates comes with an increase in the level 
of parallelism which is exploited for further improvements. We also provide op- 
timizations for the scalar multiplication by mixing extended twisted Edwards 
coordinates with twisted Edwards coordinates. 

The paper is organized as follows. A review of twisted Edwards curves together 
with some new results is given in Section 0 The new point representation is 
introduced in Section 0 Several applications of the new achievements are given 
in Section 0 We draw our conclusions in Section 0 

2 Twisted Edwards Curves 

In what follows some terms related to the group law on elliptic curves will be 
extensively used. In particular, the term unified is used to emphasize that point 
addition formulae remain valid when two input points are identical, see PTH Sec- 
tion 29.1.2]. Therefore, unified addition formulae can be used for point doubling. 
The term complete is used to emphasize that addition formulae are defined for 
all inputs, see jSj ■ The term readdition is used to emphasize that a point addition 
has already taken place and some of the previously computed data is cached, see 
0. The term mixed addition refers to adding an affine point to a point in some 
projective representation, see HH . We adapt the notation from HU, 0, and 0. 

Let AT be a field of odd characteristic. In 0, Bernstein and Lange introduce 
Edwards curves defined by x 2 + y 2 = c 2 (l + dx 2 y 2 ) where c,d£ K with cd(l — 
dc 4 ) 0. In 0, this form is generalized to twisted Edwards form defined by 


E E , a ,d ■ ax 2 + y 2 = 1 + dx 2 y 2 


where a,d £ K with ad(a — d) ^ 0. Edwards curves are then a special case 
of twisted Edwards curve where a can be rescaled to 1. We next review some 
formulae regarding the group law on twisted Edwards curves which will be used 
with slight modifications in Section 0 

Affine addition formulae for twisted Edwards curves in 0 (also see HUi 


H) = 



xm + yix 2 ym - ax ix 2 ' 
l + dx 1 y 1 x 2 y 2 ' 1 - dx 1 y 1 x 2 y 2 


{xi,yi) + {x 2 ,y 2 ) = 


The point (0,1) is the identity element and the point (0,-1) is of order 2. 
The negative of a point (x, y) is (— x, y). For further facts such as the resolution 
of singularities or the points at infinity or the coverage of these curves or the 
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group structure, we refer the reader to the original reference 0. Also see pi> 

0 . 0 , 0 , and 0 . 

In 0 (where a = 1) and later in 0, it was proven that if d is not a square 
in K and a is a square in K then these formulae are complete. In Theorem 0 
with reasonable assumptions, we show that it is possible to prevent exceptions 
in the addition formulae even if d is a square in K or a is not a square in K. We 
should note that this statement should not be considered as a recommendation 
for selecting d a square in K and/or a a non-square in K. The desired properties 
for a and d may change depending on the target application. We will recall 
Theorem 0in Section 0 

Theorem 1. Let K be a field of odd characteristic. Let EE, a ,d be a twisted 
Edwards curve defined over K. Let P = ( xi,yi ) and Q = {x-2,yf) be points on 
EE, a ,d ■ Assume that P and Q are of odd order. It follows that l — ote 1X22/12/2 0 
and 1 + dxiX2yiy2 7^ 0. 

Proof. In 0 (where a = 1) and later in P, it is proven that the points at infinity 
(over the extension of K where they exist) are of even order. Assume that P 
and Q are of odd order. Thus, P, Q and P + Q cannot be the points at infinity. 
Since the formulae © are complete (see P ) provided that the points at infinity 
are not involved, the denominators of ©; 1 — dx\X2y\y2 and l + dxiX2?/i2/2 must 
be nonzero. □ 


Affine doubling formulae (independent of d ) for twisted Edwards curves 
deduced from P (also see 0, 0, 0): 


2 (*i, 2 /i) 


( %xiyi y\ - ax\ \ 

\yl + axr2- y l-ax\) 




(2) 


The exceptional cases and how to prevent them are analogous to formulae (0) . 

Affine addition formulae (independent of d) for twisted Edwards curves 
adapted from our preprint fT7| : Consider the relations obtained by the curve 
equation; ax\ + yf = 1 + d/xfyf , axf +2/2 = 1 + dx\y\. After straight forward 
eliminations, we express a and d in terms of xi,x,2, y\ ■ y-i as follows, 

a _ foi 2/1 - xjyl) - ylylixj - xl) d _ (xf- xl) - ( x\y\ - y\x\) 

*1®! (2/1 - vl ) ’ *1*2(2/? - vl ) 


Ignoring any exceptions that can be introduced by these rational expressions, 
substitutions in the addition formulae (0 yield 


*i* 2 (y? - vl) 

xiyi - x 2 y2 - yiV2{xiy 2 - yix 2 ) 


xryi + x 2 y 2 

y 1V2 + < ' XlVl ~^\S^y\ X -yl) 1 ~ X ' 1 ' ) XlX 2 


xiyi + x 2 y 2 
2/12/2 + a*i*2 ’ 


lay 


xiyi — x 2 y 2 
xiy 2 - yix 2 
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The addition formulae (independent of d) are then as follows, 


(Xl,yi) + (X2,U2) 


( xiyi + X2IJ2 xiyi - x 2 y2 \ 
\ 2/12/2 + axix 2 ’ xiy 2 - 2/1*2/ 


(* 3 , 2 / 3 )- 


(3) 


The formulae given by © produce the same outputs as the addition formu- 
lae (©. However, these formulae fail for point doubling. In addition, there are 
exceptional cases even if d is a not a square in K and a is a square in K. The 
following theorem states these points explicitly. 


Theorem 2. Let K be a field of odd characteristic. Let EE, a ,d be a twisted 
Edwards curve defined over K. Let P = (xi , yi) and Q = (x 2 , y-i) be points on 
EE, a ,d ■ Assume that P is fixed. 

If xi = 0 or yi = 0 then j/ii/ 2 + ax ix 2 = 0 if and only if Q £ S x where 
S x = {(yi/y/d,—xi^/a),(—yi/^/d,xiy/d)}. Similarly, x\ i/ 2 - 2/1 x 2 = 0 if and 
only if QeS y where S y = {(xi,2/i), (-xi, —3/1)}. 

Otherwise (i.e. x\ ^ 0 and yi ^ 0), S x and S y are given by 

Sx= { fe ~ xlV “) ’ ( _ fa xlV ^) ’ ’ ( _ \ 

S y = {(* 1 , W), (^, 

Proof. =>: The set of all solutions to the system of equations 2/12/2 + ax ix 2 = 
0, axl + 2/i = l + dx\y'l, ax\ +y\ = 1 + dx\y\ gives S x . The set of all solutions to 
the system of equations *12/2—1/1*2 = 0, ax\ +y\ = l+dx\y\, ax\+y\ = 1 +dx\y\ 
gives S y . Clearly, all solutions are distinct since (0,0) is not on the curve. 

• 4 = : Trivial, by substitution. □ 

Theorem El shows that suitable selection of a and d are not enough to eliminate 
all exceptional cases. Therefore the formulae given by © are not complete. Nev- 
ertheless, the exceptional inputs have a special property given by the following 
lemma. 


Lemma 1. Let K,EE, a ,d,P,Q be defined as in Theorem OJ Assume that P is a 
fixed point of odd order. Assume that Q G S x U S y — {P}. Then Q is of even 
order. 


Proof. The proof is given in Appendix-A. □ 

We now provide a practical solution to prevent exceptional cases. We will recall 
Corollary [□ in Sectional 

Corollary 1. Let EE, a ,d be a twisted Edwards curve defined over K. Let P = 
(xi,yi) and Q = (x 2 ,?/ 2 ) be points on EE, a ,d ■ Assume that P and Q are of odd 
order with P ^ Q. It follows that 1 / 11/2 + ax ix 2 ^ 0 and x\ y 2 — i/ix 2 ^ 0. 


Proof. The proof follows from Theorem El and Lemma [I] 
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Cryptographic applications involving elliptic curve scalar multiplication typically 
use points of prime order. If this is the case, Corollary Q] shows that the addition 
formulae given by (01) are exception-free for distinct input points. Furthermore, 
extending K cannot introduce any exception. Of course, one can still choose 
arbitrary points as the input at the expense of exception handling or leave the 
exceptions unhandled. However, this can lead active attackers to succeed in ex- 
ceptional point attacks, see PI- As a general solution, a suitable randomization 
technique can be used. For various randomization techniques, a comprehensive 
reference is [TQ1 chapter 29]. 

The rest of the paper is about cryptographic applications. Therefore, we now 
further assume that K is finite. In some implementations the ratio I/M is quite 
large. For this reason, a natural strategy is to prevent the frequent use of field 
inversions and a classical solution is using projective coordinates. 

At this stage, consider the homogenous projective coordinates in [Ij. In this 
system, each point ( x , y) on ax 2 + y 2 = 1 + dx 2 y 2 is represented as the triplet 
{X : Y : Z) which corresponds to the affine point [XjZ, Y / Z) with Z ^ 0. These 
triplets satisfy the homogenous projective equation 

{aX 2 + Y 2 )Z 2 = Z* + dX 2 Y 2 . (4) 

The curve defined by 0 is the projective closure of the curve ax 2 + y 2 = 
1 + dx 2 y 2 . The identity element is represented by (0: 1: 1). The negative of 
(X: Y: Z) is (—X : Y: Z). For all nonzero A £ K, (X:Y: Z) = {XX: A Y: A Z). 
We denote this system by E . The choice of E leads to inversion-free very efficient 
point addition algorithms recently proposed in 0 Section 6] . 

3 Extended Twisted Edwards Coordinates 

To gain more speed, it is convenient to introduce an auxiliary coordinate t = xy 
to represent a point (x, y) on ax 2 +y 2 = 1 + dx 2 y 2 in extended affine coordinates 
(. x,y,t ). One can pass to the projective representation using the map {x,y,t) t— > 
(x: y: t: 1). For all nonzero A e K, (X: Y: T : Z) = {XX: XY: XT: X Z) which 
satisfies (0) and corresponds to the extended affine point {X/Z,Y/Z,T/Z) with 
Z / 0. The auxiliary coordinate T has the property T = XY/Z. This point 
representation is named extended twisted Edwards coordinates and is denoted 
by E e . The identity element is represented by (0: 1:0: 1). The negative of 
{X: Y: T: Z) is {-X: Y: -T: Z ). Given {X: Y: Z) in E passing to E e can be 
performed in 3M + IS by computing (XZ,YZ. XY. Z 2 ). Given {X:Y:T: Z) 
in E e passing to E is cost-free by simply ignoring T. 


3.1 Unified Addition in £ e 

Given (A-, : Y± : T\ : Z\) and (X 2 : Y 2 : T 2 : Z 2 ) with Z\ ^ 0 and Z 2 ^ 0, a 
unified addition can be performed as (X\ : Y\ : Ti : Z\) + (X 2 : Y 2 : T 2 : Z 2 ) = 
{X 3 : Y 3 :T 3 : Z 3 ) where 
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X 3 = (X 1 Y 2 + Y 1 X 2 )(Z 1 Z 2 - dT iT 2 ), 

Y 3 = (YlY 2 - aX 1 X 2 )(Z 1 Z 2 + dTjTa), 

T 3 = (YiY 2 - aX 1 X 2 )(X 1 Y 2 + FiX 2 ), 

Z 3 = (ZiZ 2 - dnT^iZ^ + dTiT 2 ). (5) 

These unified formulae are derived from the addition formulae m . We deduce 
from jS| and that these formulae are also complete when d is not a square in 
K and a is a square in K. The operations can be performed with a 9M + 2D 
algorithm given by 

A^-Xi-A 2 , B^Y!-Y 2 , C <— dTi • T 2 , D^Z!-Z 2 , 

E^(X 1 +Y 1 )-(X 2 +Y 2 )-A-B, F^D-C, G^D + C, 
H^B-aA, X 3 ^E-F, Y 3 ^GH, T 3 ^E-H, Z 3 <- F ■ G. 

An 8M + 2D mixed addition algorithm can then be derived by setting Z 2 = 1. 
This means that we are adding (X-i : Yj : T\ : Z\) and an extended affine point 
(x 2 ) 2 / 2 , x 2 y 2 ) which is equally written as ('£2 : y 2 - x 2 y 2 ■ 1). 

Choosing curve constants with extremely small sizes or extremely low (or 
high) hamming weight can be used to eliminate the computational overhead of 
a field multiplication. For instance see a ini See also [TJ Section 7] for an 
alternative strategy for the selection of constants. When using £ 6 the situation 
is even better if a = —1; we save 1M + ID rather than just ID. Consider a 
twisted Edwards curve given by 

ax 2 + y 2 = 1 + dx 2 y 2 . 


The map (x,y) 1 — > (x/\^a,y) defines the curve, 

-x 2 + y 2 = 1 + ( -d/a)x 2 y 2 . 

This map can be constructed if —a is a square in K. It is worth pointing out 
here that the curve —x 2 + y 2 = 1 + (— d/a)x 2 y 2 corresponds to the Edwards 
curve x 2 + y 2 = 1 + ( d/a)x 2 y 2 via the map ( x,y ) 1 — > ( ix,y ) if i G K with 
i 2 = —1. For such curves a 10M + IS + ID point addition algorithm is given in 
H add-2007-bl-4] . 

After a renaming of the constant —d/a to d ' , the point addition on the twisted 
Edwards curve —x 2 + y 2 = 1 + d'x 2 y 2 can now be performed with an 8M + ID 
algorithm given by 

A <— (Yj. — X\) ■ (Y 2 — X 2 ), B^(Y 1 +X 1 )-(Y 2 + X 2 ), C^kT^-T^ 

D^2Z!-Z 2 , e^b-a, f^d-c, g^d + c, 

H *— B + A, X 3 ^E-F, Y 3 ^G-H, T 3 <^E-H, Z 3 <- F ■ G 

where k = 2d' . The optimization that leads to the removal of the extra multipli- 
cation is similar to the optimizations in 03| and add-2007-bl-4]. A 7M + ID 
mixed addition algorithm can be derived by setting Z 2 = 1. 
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In the case a = —1, we comment that it is possible to save two additions by fur- 
ther extending the coordinates to (X : Y : T: Z : Y — X : Y + X). Alternatively, 
(Y 2 — X 2 ), (Y 2 + X 2 ), 2 Z 2 , and k = 2d' can be cached to save two additions and 
two multiplications by 2 when performing readdition. We do not claim that these 
cachings are very useful in practice. On the other hand, a caching of kT 2 leads to 
readdition in 8M rather than 8M + ID . This can save time if D is large. As a conse- 
quence, readdition with Z 2 = 1 needs 7M rather than 7M+1D. Similar arguments 
can be easily extended over the other algorithms in Section 01 when appropriate. 

3.2 Dedicated Addition in £ e 

Given the representations (Xi : Y\\ Tf: Z\) and (X 2 : Y 2 : T 2 : Z 2 ) of distinct 
points with Z 1 0 and Z 2 7^ 0, the point addition can be performed as 
(X i: Y x : Ti: Z x ) + {X 2 : Y 2 : T 2 : Z 2 ) = (X 3 : Y 3 : T 3 : Z 3 ) where 

A 3 = {XiY, - Y 1 X 2 ){T 1 Z 2 + Z 1 T 2 ), 

Y 3 = (Y 1 Y 2 + aX 1 X 2 )(TiZ 2 - Z^T 2 ), 

T 3 = (T t Z 2 + Z 1 T 2 )(T 1 Z 2 - Z 1 T 2 ), 

z 3 = (YxYa + aX 1 X 2 )(X 1 Y 2 - Y x X 2 ). (6) 

These formulae are independent of the curve constant d. These formulae are 
analogous to the addition formulae 0. The operations can be performed with 
a 9M + ID algorithm given by 

A<— Xi ■ X 2 , B *—Yi ■ Y 2 , C^Z!-T 2 , D<-T!-Z 2 , 

E <— D + C, F^{Xi-Y!)-{X 2 + Y 2 ) + B-A, G B + aA, 

H <— D — C, X 3 ^E-F, Y 3 *— G ■ H, T 3 <- E-H, Z 3 ^FG. 

An 8M + ID mixed addition algorithm can be derived by setting Z 2 = 1. 
For the case a = — 1, the operations can be performed with an 8M algorithm 
given by 

A <— (Ti — Ai) • (Y 2 + X 2 ), B <— (Yi + Ai) • (y 2 — A 2 ), C *— 2Zi ■ T 2 , 

D <— 2Ti • Z 2 , E <— D + C, F^B-A, G <— B + A, 

H *— D — C, X 3 ^E-F, Y 3 ^GH, T 3 <- E-H, Z 3 <^FG. 

A 7M mixed addition algorithm can be derived by setting Z 2 = 1. A parallel 
version of the dedicated addition algorithm is given in Section 14.41 for the case 
a = -1. 

3.3 Dedicated Doubling in £ e 

Given (Xi : Y \ : Ti : Z\) with Z\ 7^ 0, point doubling can be performed as 
2(Xi : Y\ \ T\ \ Z x ) = (A 3 :Y 3 :T 3 : Z 3 ) where 

A 3 = 2AiFi(2Z 1 2 - Y? - aXl), 

Y 3 = (Ti 2 + aXl)(Y? - aA 2 ), 

T 3 = 2XiYi(Y 1 2 - aA 2 ), 

Z 3 = (Ti 2 + aX\){2Z\ - Y? - aA 2 ). 


(7) 
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These formulae are independent of the curve constant d. These are essentially 
the same formulae from P plus the formula T 3 = 2X\Y\(Y^ — aXf) which 
increases the number of multiplications needed to compute a point doubling by 
1. The operations can be performed with a 4M + 4S + ID algorithm given by 

Ai-Xt, C <- 2Zf, D<^aA, E *- {X 1 +Y 1 f - A- B, 

G^D + B, F^G-C, H <— D — B, X 3 <- E ■ F, Y 3 ^G-H, 
T 3 ^E-H, z 3 ^fg. 

This algorithm is similar to 3M + 4S + ID point doubling algorithm in P . 
The slowing down from 3M + 4S + ID to 4M + 4S + ID will be remedied in 
Section 14.31 by mixing £ e with £. A parallel version of the doubling algorithm is 
given in Section 14.41 for the case a = — 1. 


3.4 More Formulae 


Since we have two different addition formulae for computing x 3 and another two 
for 2 / 3 , it is possible to produce hybrid addition formulae from (P and 0. The 
hybrid formulae are given by 


(*i, 2 /i) + (*2,2/2) 
(*i, 2 /i) + (*2,2/2) 


( *12/1 + *22/2 2/12/2 - a*i*2 \ , 

V 2/12/2 + a*i*2 ’ 1 - ^*12/1*22/2/ 3 ’ 3 ’ 

/ *11/2 + 2/1*2 *12/1 ~ *21/2 ^ _ , . 

V 1 + dxiyix 2 y2 ’ *11/2 - 2/1*2 ) 


We comment that £ e analogs of (0 and 0 lead to similar speeds. 


( 8 ) 

(9) 


4 Applications 

We provide further optimizations targeting scalar multiplication operations, nP 
where n is an integer called the scalar and P is the base point multiplied by the 
scalar. 

The impact of the new unified addition algorithms in £ e for preventing side 
channel attacks is discussed in Section E~T1 Parallel versions of the 8M+ ID uni- 
fied addition in £ e are provided in Section fOl The speed of scalar multiplication 
on twisted Edwards curves is increased by mixing £ e with £ in Section 14.31 A 
parallel implementation of fast scalar multiplication in £ e is explained in Sec- 
tion 14.41 When parallelization is desired the algorithms in Section 14.21 and Sec- 
tion 14.41 help to reduce significantly the effective cost of scalar multiplication. 
Other applications appear in Section E3 


4.1 Defeating SPA Attacks 

It is well known that a scalar multiplication algorithm can gain SPA protection 
when unified additions are used as the only group operation, see [H3I Section 
29.1.2] for instance. From Section IPI we know that the unified addition costs 
9M + 2D in £ e . For the case a = — 1 the cost drops to 8M+ ID. Both results are 
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faster than all the other unified addition algorithms known to date. Assuming 
that S = 0.8M and D w 0, the 8M + ID algorithm is approximately 17.5%, 
22.5%, 35%, 50%, 55%, 82.5%, 97.5% faster than the best results in jEj, 0, 
0, |2QJ, 0: E2 ■ 0, respectively. Note, if S = M most speedups will be even 
more significant. Furthermore, both unified addition algorithms are complete for 
suitably selected parameters, see section 0 for pointers. The completeness is a 
stronger property than the unification, see 0 p.2]. 

Another approach to a protected scalar multiplication is using the Mont- 
gomery ladder with Montgomery curves or Kummer surfaces. Montgomery’s 
algorithm for Montgomery curves in use 5M + 4S + ID per scalar bit. 
Gaudry/Lubicz algorithm for Kummer surfaces (genus 1, odd characteristic 
case) in [10] use 3M + 6S + 3D per scalar bit. We will only provide com- 
parisons with Montgomery curves in the rest of the paper. Assuming that an 
optimized protected scalar multiplication algorithm uses 1.2 unified additions 
per scalar bit, scalar multiplication using the 8M + ID algorithm then requires 
(8M+ ID) x 1.2 = 9.6M+ 1.2D per scalar bit. Assuming that 0.67M < S < M 
and 0 < D < M, this will be approximately 6% to 25% slowei0 than Montgomery 
curves. However, we will show in Section HOI that the 8M + ID algorithm can 
be faster on parallel implementations. When designing the parallel algorithms 
we try exploiting all inherent parallelism. If an M is performed in parallel with 
a D and/or an S then the cost is counted as an effective 1M. 


4.2 Defeating SPA Attacks in Parallel Environments 

A useful feature of the 8M + ID unified addition algorithm is that it is highly 
parallelizable. In this section, targeting parallel environments, we explain how 
a protected scalar multiplication using the 8M + ID unified addition in £ e can 
perform faster than a protected scalar multiplication based on the Montgomery 
ladder m- For details on the ladder algorithm and Montgomery curves, we refer 
the reader to (23| and (2H- See [IS] and [IS] for preventing side channel attacks 
in parallel environments using general elliptic curves. 

The Montgomery curve E m ,a,b is defined by By ' 2 = x 3 + Ax 2 + x with 
B{A 2 — 4) 7^ 0. Given the projective coordinates of two points (X rn : Z m ) and 
{X n : Z n ) and also (X m _ n : Z m _ n ) = (X m : Z m )-(X n : Z n ); { X m+n , : Z m+n ) = 
(X m : Z m ) + ( X n : Z n ) is given in [23 by 

X m+n = Z m - n {{X m - Z m ){X n + Z n ) + (X m + Z m ){X n - Z n )f, 

Z m+n = X m - n {{X m - Z m )(X n + Zn) - {Xm + Z m ){X n ~ Z n )f . 

Dedicated doubling formulae (which can be faster than the addition) are used 
to compute and Z-2 n given in m by 

4 X n Zn = {X n + Z n f ~ {X n ~ Z n f , 

X 2 „ = {Xn + Znf{X n - Z n f , 

Z 2 „ = (4 X n Zn){{X n - Zn) 2 + {{A + 2)/4)(4 XnZn)). 


The ratios S/M and D/M are fixed equally for both 
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The doubling algorithm uses 2M + 2S + ID and the addition algorithm uses 
3M + 2S assuming that Z m _ n = 1. The total cost of a doubling and an addition 
is then 5M+4S+1D. In a sequential environment it is convenient to consider the 
addition and doubling operations as a single composite operation. This approach 
is given in To follow the same notation rename 

P + 2)/4, x m . n , z m - n , X m , Z m ,X n , Z n , X 2n , Z 2n ,X m+n , Z m+n ] 


as [a24, X\, Z\, X%, Z%, X 3 , Z 3 , X 4 , Z 4 , X 5 , Z 5 ]. Assuming that Z% = 1, a 5M + 
4S + ID Montgomery differential-addition-and-doubling algorithm is given in j3J 
mladd-1987-m] by 

A<-X 2 + Z 2 , AA^A 2 , B^X 2 -Z 2 , BB^B 2 , 

E <— AA — BB, C^X 3 +Z 3 , D<^X 3 -Z 3 , DA<-D-A, 

CB <— C • B, X$ <— (DA + CB) 2 , Z 5 <- X t • {DA - CB ) 2 , 

X±<^ AA- BB, Zt,<^ E-(BB + a24E). 

2-Processor Montgomery addition and doubling. In m, it is observed 
that the doubling and the addition phases of the Montgomery ladder algorithm 
can be performed independently. From this, it is clear that one of the processors 
needs 2M + 2S + ID and the other needs 3M + 2S to perform doubling and 
addition, respectively. Since 3M + 2S > 2M + 2S + ID we conclude that one 
round of computing a doubling and an addition can be done in an effective 
3M + 2S. Alternatively, we can parallelize the “mladd-1987-m” algorithm in 0. 
This approach also yields an effective 3M + 2S. See Appendix-B. The ladder 
algorithm then uses 3M + 2S per scalar bit. 


2-Processor twisted Edwards (a = —1) unified addition in £ e . We now 

investigate the 8M + ID unified addition algorithm. We can split the computa- 
tional task into 9 steps with a full utilization of 2 processors. The unified addition 
can then be performed with an effective 4M + ID algorithm. 


im 3 

1M 4 

id 5 


Rs 

Rs 

r 7 

Rj 

Ri 


1M 8 

1M 9 


Rs 

X 3 

T 3 


«- kR r 

<— Re — i?5 

^ R 8 + R 7 
<— Ri ■ R 2 
<- Ri ■ Ri 


Processor 2 

R 2 <- V 2 - X 2 
Ri *— Y-2 + X 2 
Rq «— Rs ■ Ri 
Rs<- Z ± - Z 2 
Rs <- 2 R 8 
R 2 *— Rs — R 7 
Ri * — Rq + R$ 
Y 3 4- R 3 ■ R 4 
Z 3 <- R 2 - r 3 


Assuming that an optimized SPA protected scalar multiplication algorithm 
uses 1.2 unified additions per scalar bit, we have the cost estimate (4M + ID) x 
1.2 = 4.8M + 1.2D per scalar bit (for each of 2 processors). The fastest system 
is determined by the ratios S/M and D/M. For instance, if S = M and D ss 
0 then twisted Edwards (a = —1) curves are approximately 4.2% faster than 
Montgomery curves. On the other hand, using Montgomery curves still seems to 
be preferable since the ladder algorithm needs less memory and it is not affected 
by changes in the ratio D /M. Note also that S < M in some applications. 

We omit details for the 3-processor case which can be derived with similar 
approaches. 
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4-Processor Montgomery addition and doubling. The Montgomery addi- 
tion and doubling does not nicely fit the 4-processor setting. For instance the 
“mladd-1987-m” algorithm in seems to be quite uncompetitive even if we ex- 
ploit all inherent parallelism. A quick investigation shows that we can perform 
a doubling and addition in an effective 2M + 2S. See Appendix-B. The ladder 
algorithm then uses 2M + 2S per scalar bit. 

4-Processor twisted Edwards (a = —1) unified addition in £ e . We can 

split the computational task into 5 sequential steps among 4 processors. The 
unified addition can then be performed with an effective 2M + ID algorithm. 


1M 2 
ID 3 


Processor 1 

JJi <— Yi — Jfi 
i?5 < — Rl • R 2 
idle 


1M 5 


Hi * — He — Re 
X 3 <- Ri ■ R 2 


Processor 2 


Re *— R3 ■ Ri 
idle 

R2 <- Rs ~ R7 
Y 3 <— R 3 ■ R4, 


R 3 ^Yi + Xi 
Ri^Ti- T 2 
R 7 <- kR r 
R 3 < — R 3 + R 7 
T 3 <— Ri ■ Ri 


Processor 4 

Ri <- Y 2 + X 2 
Rs <— Zi ■ Z 2 
Rs «- 2 R s 
Ri * — Re 4- Re 
z 3 <— r 2 ■ r 3 


Following the assumption from the 2-processor case we have the cost estimate 
(2M + 1D) x 1.2 = 2.4M + 1.2D per scalar bit. If S = M and DrjO then twisted 
Edwards (a = —1) curves are approximately 66.7% faster than Montgomery 
curves. If S = 0.8M and D = 0.25M then twisted Edwards (a = —1) curves 
are approximately 33.3% faster. If S = 0.8M and D = M then twisted Edwards 
(a = —1) curves are approximately 5.9% faster. 

Assuming D « 0, we estimate that a “256-bit, sliding window, 4-NAF” scalar 
multiplication on twisted Edwards (a = —1) curves will require approximately 
602M for each of 4 processors, depending on the analysis in (3 Section 5]. 

Consider the field multiplication operation kR 7 in Step 3. The finite field 
arithmetic can be implemented building on integer arithmetic. Treating field 
elements k as a 4n-bit integer and R 7 as an integer, we fix k\ . k ^. , k 3 , G [0, 2 n — 
l] such that k = ko + 2 n k\ + 2 2n fc 2 + 2 3n fc 3 . Now, kR.-j can be obtained as 
k 0 R7+2 n (k 1 R 7 )+2 2n {k2R7)+2 3n (k 3 R7) by computing k t R 7 in parallel. The rest 
of the computation for obtaining kR 7 can be practically negligible (depending on 
the application) . Here, the 3 additions to obtain kR 7 and J?g 2 R 8 can be put 
in a new parallel step. Furthermore if #K is a special prime allowing very fast 
modular reduction (such as NIST primes) then the cost of casting the integer kR 7 
to K (i.e. the modular reduction) can also be practically negligible (depending 
on the application). This method leads to a better utilization of processors and 
can be used for decreasing D. Even if k is of the full size (i.e. D = M), this 
technique fixes each fcj to a quarter of the size of k (i.e. D is close to 0.25M 
if schoolbook multiplication and fast reduction are being used). Alternatively, 
fixing n to the word size of the underlying hardware (or maybe to the size of a 
compiler-supported data type) can be advantageous in some applications. The 
same method can be adapted to the 2-processor case. 

The parallel implementation of £ 6 <— £ e + £ e is easier than the Montgomery 
case because all processors perform similar tasks at each step. In addition, the 
implementation does not require a special field squaring circuit to gain better 
timings. 
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2 x 2-Processor Montgomery addition and doubling. If the doubling op- 
eration is assigned to a team of two processors and the addition operation is 
assigned to another team of two processors, the 2M + 2S figure can be improved 
to 2M + IS. See Appendix-B. Here, we make the assumption that the addition- 
team and the doubling-team work in an unsynchronized fashion and perform the 
synchronization at the end (of each round) ; we are not claiming that the imple- 
mentation of this is easy. Even with this assumption twisted Edwards (a = —1) 
curves can still be faster. For instance, if S = M and D « 0 then twisted Ed- 
wards (a = —1) curves are approximately 25% faster than Montgomery curves. 

4.3 Fast Scalar Multiplication 

In fllj, Cohen, Miyaji, and Ono introduced the modified Jacobian coordinates 
and studied other systems in the literature, namely affine, projective, Jacobian, 
and Chudnovsky Jacobian coordinates. To gain better timings they proposed a 
technique of carefully mixing these coordinates. We follow a similar approach. 
Note, the notations £ and £ e follow the notation introduced in mi- 

On twisted Edwards curves, the speed of scalar multiplications which involve 
point doublings can be increased by mixing £ e with £. The following technique 
replaces (slower) doublings in £ e with (faster) doublings in £. In the execution 
of a scalar multiplication: 

(i) If a point doubling is followed by another point doubling, use £ <— 2£. 

(ii) If a point doubling is followed by a point addition, use 

1 . £ e <— 2£ for the point doubling step; followed by, 

2. £ *— £ e + £ e for the point addition step. 

£ <— 2£ is performed using 3M + 4S + ID doubling algorithm in 0. The 
details of the other operations are given below. 

£ e *— 2£ using ( 0 ) : 

(i) In Section 0 it was noted that passing from ( X :Y:Z) to (A : Y: T: A) (i.e. 
passing from £ to £ e ) can be performed in 3M+1S. From this, it might seem 
at the first glance that computing £ e <— 2£ will more costly than expected. 
However, the doubling algorithm for (0) does not use the input T\ and so it 
can be used for £ e *— 2£ without modification. 

(ii) Theorem 0 implies that Z\ and Z 3 are always nonzero if the base point is of 
odd order. Alternatively, careful selection of a and d also guarantees that Z\ 
and A 3 are always nonzero regardless of the order of the base point, see 0 . 

£ *— £ e + £ e based on (either) 0 or ®: 

(i) Observe that one field multiplication can be saved by not computing T 3 . 
This can be regarded as a remedy to the extra field multiplication which 
appears in £ e <— 2£ while computing T 3 . 

(ii) If © is used (without computing T 3 ), scalar multiplication is independent of 
d. Indeed £ <— 2£ (see 0) and £ e <— 2£ (see Section mi) are also independent 
of d. Formulae © save time if D is large. In addition, Corollary 0 implies 
that Z\, Z -2 and A 3 are always nonzero if the base point is of odd order. 
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(iii) If © is used (without computing T 3 ), the curve constant d will be involved 
in the calculations. Using the concept of readdition discussed in Section EOl 
one can also achieve similar performance in comparison to the case of ©. 
In addition, Theorem [I] implies that Z\, Z% and Zy are always nonzero if 
the base point is of odd order. Alternatively, careful selection of a and d also 
guarantees that Z\, Z% and Zy are always nonzero regardless of the order of 
the base point, see [D. 

In Table d a comparison is made for the speeds that can be achieved under 
different S/M and D/M scenarios. These estimates are based on the analysis 
in |3 Section 5]. To gain the best speed, we assume that (a = —1). To make 
the cost estimation easier (without sacrificing the accuracy), we can consider the 
cost of £ 6 <— 2£ as 3M + 4S by pushing the extra multiplication to the operation 
count of £ * — £ e -\- £ e . In this case, the relevant costs for various additions based 
on the formulae © are as follows. Addition: 8M; readdition: 8M; readdition 
with Z 2 = 1: 7M; mixed addition (i.e. addition with Zy = 1 reasonably denoted 
by £ *— £ e + A e ): 7M. As a special case, we also include cost estimates for the 
Montgomery ladder which require 5M + 4S + ID per scalar bit. The rows 
are sorted with respect to the column (.8, 0) in descending order. The headers 
(e.g. (.8, .5)) of columns 2 to 7 fix the ratios S/M and D/M, respectively. (Of 
course, D/M = 0 should be regarded as D/M « 0 when it appears.) 


Table 1 . Cost estimates (M) for fast scalar multiplication, 256-bit. (The Montgomery 
ladder algorithm for Montgomery curves and “sliding window, 4-NAF” method for 
Edwards, inverted Edwards, and mixed twisted Edwards coordinates) 


System 

(Id) 

(.8, 1) 

(1, .5) 

(.8, .5) 

(i, 0) 

(.8, 0) 

Montgomery Ladder, 1231 

2560 

2355 

2432 

2227 

2304 

2099 

Edwards, |© 

2351 

2139 

2326 

2115 

2301 

2090 

Inverted Edwards, |S| 

2552 

2341 

2402 

2191 

2251 

2040 

Twisted Edwards (a = —1), mixed 

2152 

1951 

2152 

1951 

2152 

1951 


It is also convenient to consider £ e <— 2£ followed by £ <— £ e + £ e as a single 
composite operation as £ <— 2£ + £ e where £ e is the base point. See [FI] for a 
similar approach in affine Weierstrass coordinates. 


4.4 Fast Scalar Multiplication in Parallel Environments 

It is natural to ask whether the speed of the protected scalar multiplication 
discussed in Section 14.21 can be increased by using a fast dedicated doubling 
algorithm. Unfortunately mixing £ e with £ does not seem to be helpful in parallel 
environments for increasing the speed. Nevertheless, £ e <— 2£ e can be performed 
with an effective 1M + IS algorithm, as follows. 


- R1R2 r 3 <- R 6 - Rt 


- R 2 - Re z 3 <- R ± - R 7 
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This is essentially the same algorithm as in Section 13.31 It is easy to deduce 
that the 2-processor point doubling needs an effective 2M + 2S. Point addition 
£ e <— £ e + £ e can be performed with an effective 2M algorithm, as follows. 


1M 


3 


1M 5 


Processor 1 

ill <— Yi — Xx 
i?5 « — i?i • R 2 
idle 

Ri <— 4- R 7 

X 3 <- i?i • R 2 


Processor 2 

R 2 * — V 2 + X 2 

Rq <— i?3 • i?4 
idle 

R 2 «— Rq — -R 5 

*3 <“ ife * i?4 


#3 <- n + xp 
R7 <— Zi • t 2 
i? 7 <- 2i?7 

#6 4- R5 
T 3 «- i?i • i?4 


Processor 4 

#4 <- Y 2 - X 2 
Rs <— Ti • Z 2 
i?8 ^ 2i? 8 

/?4 •<— — #7 

Z 3 <— R 2 ■ R 3 


This is essentially the same algorithm as in Section 13.21 It is easy to deduce 
that the 2-processor point doubling needs an effective 4M. One may prefer using 
the parallel version of the addition formulae m which comes at the expense of 
multiplication by d. See the discussions about readdition in Section 13.41 and 
partitioning k in Section 11 . 21 Assuming S = 0.8M and D « 0, we estimate that 
“256-bit, sliding window, 4-NAF” scalar multiplication using £ e will require 
approximately 552M for each of 4 processors, depending on the analysis in (3 
Section 5]. 


4.5 Other Applications 

Point addition intensive operations bring out the full power of the new addition 
algorithms. Therefore, we will consider the batch signature verification algorithm 
in this section. 

There is a vast literature on the optimization of special exponentiation tech- 
niques. A general references is An example to the case of scalar multipli- 
cation is computing riiP,, with fixed base point(s) or fixed scalar(s). In (3 
Section 7], cost estimations for selected applications about are provided 

for several curve models. The expected increases in speed for twisted Edwards 
curves can be deduced from jS] by simply substituting the new operation counts. 
For instance, the batch signature verification technique in M attributed to Bos- 
Coster is summarized in 0 Section 5] for one variant of the ElGamal signature 
system. The cost estimates for this operation are given in Table |5| in comparison 
to Edwards coordinates and inverted Edwards coordinates. 


Table 2. Cost estimates (M) for batched verification of 100 ElGamal signatures, 256- 
bit 


System 

(1,1) 

(.8, 1) 

(1, .5) 

(.8, .5) 

(1, o) 

(.8, 0) 

Edwards, jS| 

302 

297 

289 

284 

276 

271 

Inverted Edwards, UJ 

276 

271 

264 

259 

251 

246 

Twisted Edwards (a = — 1), £ e 

201 

201 

201 

201 

201 

201 


5 Conclusion 

In this work, a new point representation £ e is introduced for twisted Edwards 
curves. We derive efficient and highly parallel group operations and discuss 
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alternative ways of preventing exceptional cases. We then provide performance 
estimates and comparisons for different implementation scenarios. 

Defeating SPA Attacks. We provide two fast unified addition algorithms which 
cost 9M + 2D and 8M + ID. The latter case is at least 22% faster than all the 
other unified addition methods stated in the literature. These formulae are even 
17.5% faster than our preliminary result in m 

Defeating SPA Attacks in Parallel Environments. We provide an effective 2M + 
ID unified point addition algorithm on a 4-processor environment. We further 
showed that twisted Edwards (a = —1) curves can be faster up to 66.7% than 
Montgomery curves in this parallel environment. 

Fast Scalar Multiplication. We first handle single-scalar multiplication. We ex- 
plain how to perform fast scalar multiplication by mixing £ e with twisted Ed- 
wards coordinates £, improving the current relevant literature bounds by ap- 
proximately 4%-18%. We then point out that multi-scalar multiplications profit 
even more from the faster point additions in £ e . 

Fast Scalar Multiplication in Parallel Environments. We also point to the parallel 
versions of fast scalar multiplication offering a speed increase by a factor of 3.54 
(using 4 processors) over the optimized sequential case. 

In conclusion, we have pushed the recent speed limits of Elliptic Curve Cryp- 
tography forward in a wide range of applications. Building on our observations 
we recommend using £ e (and mixing £ e with £ when useful) for speeding up the 
scalar multiplication in several different settings. 
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A Proof of Lemma ffl 

Proof. Note that the points at infinity are of even order, see Q]j . Assume that 
P = (x i, yi) is of odd order. Thus, P is not one of the points at infinity. Assume 
that Q G S x U S y — {P}. If Q were one of the points at infinity it would have 
even order and the claim follows. Note also that P ^ Q and P ^ —Q since 
P, —P £ S x US y — {P}. Instead of a further case by case analysis on S x {JS y — {P}, 
we will prove the lemma with a general approach. The proof has two parts. 

In the first part we will prove that all points in S x are of even order. Assume 
that Q = (x‘ 2 - yf) is an element of S x . By Theorem El 0 X 1 X 2 + yi y -2 = 0. 

Suppose that xi = 0. Since P is of odd order P (0, —1) and consequently 
P = (0,1). By Theorem^ Q = (±1/^,0). Since 4(±l/y ^,0) = (0,1), Q is of 
even order as desired. 

Assume from now on that x\ 7^ 0. We can write X 2 = —yiys/iaxi ) since X\ is 
nonzero. Let M = 2 P and N = 2 Q. Since P is of odd order, so is M. Therefore, 
M is not one of the points at infinity. We can assume that N is not one of the 
points at infinity; for otherwise Q is of even order as desired. Using the relation 
X 2 = — 2/12/2/ (arci) and formula 0 for computing X 3 we get 

x(N) = = 2 (-^/(«*i))s/2 = = 

Vi + ax% + a(-yiy 2 /(axi)) 2 y{ + ax{ 

The denominators y\ + ax\ and yf + must be nonzero since M and N are 
not points at infinity. By the curve definition we have 

y = ±V(1 - ax 2 )/{l - dx 2 ). 

So y(M) = ±y(N) since |a(Af)| = \x(N)\. 

y(M) = —y(N) implies that M — N = (0,-1), a point of order 2. Then 
2 (M — N) = 2(2 P - 2 Q) = 4 (P - Q) = (0, 1). So P - Q is a point of order 4. 

y(M) = y(N) implies that M + N = (0,1), the identity. Then M + N = 
2P +2Q = 2(P + Q) = (0, 1). So P + Q is a point of order 2 since P ^ —Q. 

In conclusion, we have P ± Q of even order for all situations. Since P is of 
odd order, Q £ S x must be of even order. 

In the second part of the proof we will prove that all points in S y — {P} are of 
even order. Assume that Q = (x- 2 , yf) is an element of S y — {P}. By Theorem |21 
xiy2 - yiX2 = 0 . 

Suppose that x\ = 0. Since P is of odd order P ^ (0, —1) and consequently 
P = (0, 1). By Theorem El Q = (0, —1). Then Q is of even order as desired. 

Assume from now on that x\ yf 0. We can write 1 J 2 = yixz/xi since x\ is 
nonzero. Let M = 2 P and N = 2 Q. Since P is of odd order, so is M. Therefore, 
M is not one of the points at infinity. We can assume that N is not one of the 
points at infinity; for otherwise Q is of even order as desired. Using the relation 
2/2 = yi X 2 / x,\ and formula © for computing X 3 we get 

x(N) = = 2 X 2 (yix 2 /x 1 ) = 2xm = 

yZ+ax% (yiX 2 /xi ) 2 +ax$ y{+ax{ 

The denominators yi + axf and y% + ax? 2 must be nonzero since M and N are not 
points at infinity. By the curve definition y(M) = ±y(N) since \x(M)\ = |ai(lV)|. 
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y(M) = —y{N) implies that M + N = (0,-1), a point of order 2. Then 
2 (M + N) = 2(2 P + 2 Q) = 4 (P + Q) = (0, 1). So P + Q is a point of order 4. 

y(M) = y(N) implies that M — N = ( 0, 1), the identity. Then M — N = 
2P — 2Q = 2 (P — Q) = (0, 1). So P — Q is a point of order 2 since P ^ Q. 

In conclusion, we have P ± Q of even order for all situations. Since P is of 
odd order, Q e S y — {P} must be of even order. 

In summary, all points in S x U S y — {P} are of even order provided that P is 
of odd order. □ 


B Parallel Algorithms 


This appendix contains parallel algorithms for Montgomery addition and dou- 
bling discussed in Section 14.21 

2-processor Montgomery differential-addition-and-doubling. Effective 
3M + 2S, assumption Z\ = 1, adapted from |3| mladd-1987-m]. 


is 3 


1M 

is 

1M 

1M 


5 


Ri 

r 3 

r 5 

h 7 

Ri 

R 3 

X 5 

Rs 

Rs 

Zi 


essor 1 

X 2 + Z 2 
x 3 + z 3 
r\ 

H5 - Re 
Hi ■ Ri 
Hi + H 2 
R 3 

o24 H 7 
Re + Hs 
H 7 ■ Rs 


Processor 2 

h 2 *— x 2 — z 2 
h 4 <- X 3 - z 3 

Re <- Rl 
idle 

h 2 <— h 2 • r 3 

Ri i — Hi — H 2 
H 2 <- Rl 
X 4 <- H 5 ■ H 6 

Z 5 <-X i • H 2 


4-processor Montgomery differential-addition-and-doubling. Effective 
2M + 2S, adapted from 0 mladd-1987-m]. 


- Z 2 H 3 «- X 3 + Z 3 Ri ■ 


R 7 <— R5 — R 6 idle 


- R2 R3 Rs^ a 24 R 7 

— Ri — i ?2 R8 i — R6 + ^8 


Z5 <— Xi • R2 X4 <— Re • Re Z4 <— i ?7 • i?8 


2 x 2-processor Montgomery differential-addition and Montgomery 
doubling. Effective 2M + IS. Using the notation from j3j. 


ir Montgomery Additi 


Ro <- X 2 - Z 2 Ri <- X 3 + Z 3 
R2 *— X2 + Z2 R3 <— X3 — Z3 
Ro < — Ro • Ri R2 * — i?2 • R3 
Ri *— Ro + R.2 R3 <— Ro — R2 
Ro * — R \ R2 < — R § 

X 5 4- Zi • Ro Zs <- Xi ■ R 2 


>r Montgomery Doubling 


Ri <- A 2 + ^2 R 5 ^ X 2 - Z 2 

Ri <- R% R 5 ^ Rl 

Re <— Ri — R5 idle 

R 7 <- a 2 AR& idle 

R 7 <— R5 + R 7 idle 

X4 <— i ?4 • R5 Z4 <— Re • i ?7 


The effective cost of addition is 2M+ IS (even if Z\ = 1). The effective cost of 
doubling is 1M + IS + ID. Since 2M + IS > 1M + IS + ID the overall effective 
cost is 2M + IS depending on the assumption in Section ^21 
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Abstract. Most cryptographic protocols, in particular asymmetric pro- 
tocols, are based on assumptions about the computational complexity of 
mathematical problems. The ^-Hiding assumption is such an assump- 
tion. It states that if pi and p2 are small primes exactly one of which 
divides <p(A), where N is a number whose factorization is unknown and 
ifi is Euler’s totient function, then there is no polynomial-time algorithm 
to distinguish which of the primes pi and P2 divides <p(N) with a prob- 
ability significantly greater than 1/2. In this paper, it will be shown 
that the ^-Hiding assumption is not valid when applied to a modulus 
N = PQ 2e , where P, Q > 2 are primes, e > 0 is an integer and P hides 
the prime in question. This indicates that cryptographic protocols using 
such moduli and relying on the ‘P-Hiding assumption must be handled 

Keywords: (^-Hiding assumption, Jacobi symbol, Euler’s totient func- 


1 Introduction 

The <£-Hiding assumption as defined by Cachin, Micali and Stadler p| is an 
assumption about the difficulty of finding small factors of tp(N), where N is 
a number whose factorization is unknown, and <p(-) is Euler’s totient function, 
i.e. the number of positive integers less than or equal to N that are coprime to 
N. The security of several cryptosystems is based on the presumed difficulty of 
solving this problem |2l5lfil71 . In this paper, it will be shown how information 
about the unknown factors of <p(N) can be obtained when the modulus N is 
chosen as N = PQ 2e , where P.Q > 2 are primes, e > 0 is an integer and P 
hides the prime in question, such that the ^-Hiding assumption is not valid in 
this case. Moduli of the form N = PQ 2e are called Multi-Power RSA moduli 
and are used to speed up cryptographic operations Q. In addition, it will be 
shown that if two random composite integers instead of two primes are used, the 
probability of choosing the integer that divides <p(N) reaches 99% if the integers 
have at least 7 prime factors. Furthermore, the paper suggests an approach to 
get more information about tp(N) without knowing the factorization of N. 

The paper is organized as follows. In Section 0 two definitions of the ^-Hiding 
assumption are given. Our approach to show that the ^-Hiding assumption is 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 344 |354,| 2008. 
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not valid in certain circumstances is presented in Section 01 Section 0] concludes 
the paper and outlines areas for future research. 


2 The ^-Hiding Assumption 

The ^-Hiding assumption j3| can be defined in two different ways. The first 
definition illustrates the computational problem the assumption is based on. 

Definition 1 (^-Hiding assumption (1)). Given an integer N with unknown 
factorization, it is computationally hard to decide whether a prime Pi with 2 < 
Pi « A 1 / 4 divides <p(N) or 7iot0 

The second definition represents a special case of the assumption, since it is 
assumed that exactly one of two given integers divides tp(N). 

Definition 2 (^-Hiding assumption (2)). If pi and P 2 are two random, 
small primes and N is constructed such that exactly one of these primes di- 
vides <p(N), then there is no polynomial-time algorithm to distinguish which of 
the primes pi > 2 andp% > 2 divides ip(N) with a probability significantly greater 
than 0.5, if N is an integer with unknown factorization. Ifpi divides <p(N), it is 
said that (p(N) hides pi. 

In cryptographic protocols, Definition |5| of the ^-Hiding assumption is used, since 
in this case some previous knowledge is involved (i.e. which of the two primes 
divides ip(N)), that can be used to create a necessary backdoor for asymmetric 
cryptography. To the best of our knowledge, no attack on the ^-Hiding assump- 
tion has been published until now. In the next section, we present our approach 
to show that the ^-Hiding assumption is not valid when Multi-Power RSA mod- 
uli are used. 


3 The ^-Hiding Assumption Revisited 

The ^-Hiding assumption is only valid when it is applied to a composite number 
that cannot be completely factored in feasible time, since otherwise it would 
be trivial to decide whether a prime divides <p(N) or not. Our approach to 
decide whether a prime divides tp(N) for a composite number N uses the Jacobi 
symbol. It can be evaluated efficiently, even for composite numbers with unknown 
factorization 0. The Jacobi symbol J p(r), for P prime, generalizes the Legrende 
symbol and states information about quadratic residues: If a 2 * = r (mod P) for 
given integers r and P has a solution in a, then Jp(r) = 1, otherwise Jp(r) = —1 

1 Following the remarks of the original paper of Cachin, Micali and Stadler N can 

be efficiently factored when a prime > N 1 ^ 4 of tp(N) is known, thus the '/'-Hiding 

assumption asks for very small primes. Even if it is known which small primes pt 

divide <p(N), if log pi is significantly smaller than ( log N) c , for a constant c between 
0 and 1, N cannot be factored significantly faster. 


346 


C. Schridde and B. Freisleben 


(if gcd(P, r) > 1, then Jp(r) = 0). For composite odd integers, the Jacobi 
symbol is defined as ,Lv(r) = YljLi J p,- ( r )^ > if N = Pf . . . Pf n m . Furthermore, 
a particular 2fc-tli root of unity is used to show that the values of the Jacobi 
symbol are related to factors of ip(N), and that the Jacobi symbol adopts non- 
random values when the evaluated integer r is a divisor of <p(N). Thus, the 
novel idea to use the existence and the non-existence of 2fc-th roots of unity in 
finite fields/rings allows us to gain knowledge about the divisors of ip(N), which 
in some cases can be used to make the decision whether a given integer divides 
<p(N) or not. These results will be used to show that the ^-Hiding assumption as 
defined by Cachin, Micali and Stadler j3| is not valid when applied to a modulus 
N = PQ 2e , where P, Q > 2 are primes, e > 0 is an integer and P hides the 
prime in question. Lemma Q] is central for our approach: 

Lemma 1. Let £ 2 k be any fixed primitive 2 k-th root of unity and k G N + , then: 
k - 1 

■1 k — fa (1) 

3= 1 

Proof (ofLemmaUf). The polynomial f(X) = (X k -1)/(X-1) = X k ~ 1 +X k ~ 2 + 
... + 1 has ££ for j = 1, ..., k — 1 as its roots, where £& is any fixed primitive kth 
root of unity. Writing f(X) in factored form f(X) = rij=i (X ~ £&)> we obtain 
/(l) = El j=i C 1 - ££) = k ■ Sin ce 

k n ($2 k — £2 i) = n ^ p) 

j=i j = 1 i=i i=>i 

and since n*=i £ 2 * = = £ 4 _1 = the product i 1 ~ k rij=i £ 2 * van ~ 

ishes and we get 

k- 1 

k = k (3) 

3 = 1 

which proves the lemma. □ 

We now rewrite the (k — 1) terms covered by the product symbol in equation 
HI), such that it contains a large square: 

Lemma 2 (Square Lemma). Let k G Z + and k > 2. Then: 

1. If k is odd: 

k-l (fe-l)/2 

n(&-£ 5 ?)- n (£ 2 fe + £ 2 v j ) ( 4 ) 

3=1 j=i 

2. Ifk is even: 

k-l (fc-2)/2 2 

n (&-«?)=* n fe+«*F) 


(5) 
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Proof (of Lemma\B) 

1. k is odd: Since k is odd, the j - th and the ( k — i)-th factor for 1 < j < k — 1 
can be paired. The result is: 

(£2 k — £2 k) ' (4 j — 4 = (§2 k — £2*?) ' (C-2 k j + §2 fe) 

= 44 3 ' + 4 * L - 44 _i - 44 = - 1 + 4 - 4~ 23 - 1 

_ tpj _ o _ e fc_2 i _ <r 2 i _ o i tfc 
?2fc * S2/c — S2fc * n- ^2fc‘»2fe 

— y 2 -? _ 2 4 - f 2 ( k — (pi 4- p k ~i) 2 

— ?2fc Z ^ S2fc — l.S2fc ^ S2A; J 

The pairing contains a square. Since fc — 1 is even, no term is left and a product 
of ( k — l)/2 squares is generated, which proves the case for odd values of k. 

2. k is even: Since k is even, the jth and the (k — j)th factor for 1 < j < k/2 and 
k/2 < j < k — 1 can be paired, which leads to the same terms as in case 1. The 
difference is that the factor ^4 — ff k ^j with j = k/2 remains. For this factor, 

4 2 - i~ k /2 = (- 1 ) 1 / 2 - (-ir 1/2 = i - r 4 = i( 1 - l/i 2 ) = 2 which proves 
the case for even values of k. □ 

By Lemma El the product in Equation Q is transformed to a product with a 
perfect square and the factor i 1 ~ k (k odd) and 2 i 2 ~ k (k even), respectively. 

3.1 Application to Finite Fields and Rings 

In this section, the results are applied to finite fields F p with P being a prime 
number. We distinguish between two cases. In the first case, we assume that a 
£ 2 k € Fp does not exist, and in the second case, we assume that a £ 2 k E Fp 
exists. 

Case 1: A £ 2 k E Fp does not exist. In this case, it is assumed that Fp 
does not contain a 2fc-tli root of unity. As a consequence, there is no integer 
of order 2k and thus the factors ^4 + 4^) are n °t defined properly in Fp. 

Thus, it cannot be assumed that the product ^4 + 4~ 3 ) f° rms a 

valid square in Fp and vanishes from the Jacobi symbol. The integer k, which 
nevertheless exists, has no defined counterpart on the left side of Equation Q 
In this case, Jp(fc) cannot be distinguished from a random coin flip between 
1 and —1. 

Case 2: A £ 2 k E Fp exists. This leads to the fact that the square 
n4’ )/2 ^4 + 4^) obtained from Lemma. El is valid in Fp, since each £ 2 fc is 
defined properly. Therefore, equation (HJ can be written as a well defined con- 
gruence in Fp. Corollary n shows the outcome when the Jacobi symbol is applied 
to this congruence and the square obtained from Lemma El is inserted. 


Corollary 1. Let P be an odd prime number, k £ Fp. Assume that a fak S Fp 
exists, then: 
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1. Ifk is odd: 


j p ^(-l) (1 - fe)/2 n (& + 4 J )j = J p((- l) (1 - fe)/2 ) = Jp(k) (6) 

2. If k is even: 

( ( fe “ 2 )/ 2 , \ 2 \ 

Jp h(-l) 1 -*/ 2 (4+4^) = Jp(2(-l) 1 - fc / 2 ) = Jp(k) (7) 


After the square has vanished from the Jacobi symbol, a simple congruence is 
left. This congruence indicates a relationship between the value of the Jacobi 
symbol and the divisors of 'p(P), because Corollary Q] is only valid if 2k divides 
tp(P). Again, this implicitly shows that it is important to distinguish between 
the two cases of divisibility introduced above, since the square vanishes only 
if it is defined properly. Otherwise, the Jacobi symbol of an arbitrary integer k 
would always be equal to Jp((— l)( 1-fc )/ 2 ) or Jp(2(— l) 1-fc / 2 ), respectively, which 
obviously is wrong. 

Example: Let P = 31 with 95 ( 31 ) = 30. By setting k = 5 due to (2-5) |30, there 
must be an integer of order 10, e.g. 23 or 15. It does not matter which of them is 
chosen here, since it disappears after applying the Jacobi symbol. Now, calculate 
(_l)(i-5)/2 = = 1 Since k is odd) J 31 ((- 1 )d-5)/2) = J 31 (1) = J 31 (5) 

must hold, which is true since both sides are equal to 1. 

Next, a Theorem is stated that describes the relationship between Jp(fc) 
and f- 2 k- 

Theorem 1. Let P be an odd prime number, k € Fp. J p(k) and the divisors of 
tp(P) are connected via the following implications: 

1. Ifk is odd, then: 

If fa 6 F P exists => Jp((-l)d-^)/2) = J p (fc). 

If Jp((— ^ l) C 1 — *)/2) jp(fc) G Fp does not exist. 


2. Ifk is even, then: 

If f, 2 k € Fp exists => J (2(— l) 1_fc / 2 ) = Jp(fc). 

7/ J (2(— l) 1_fc / 2 ) ^ Jp(fc) => ^ 2 k € Fp does not exist. 

Proof (of Theorem QJ) 

The proof of the theorem follows directly from Corollary [fl □ 

Theorem 0 indicates that either a divisor k of { p(P) must be known to con- 
clude that the corresponding Jacobi symbols J p(k) and Jp((— 1) C 1 — fc )/ 2 ) ( 0 r 
J (2(— l) 1-fe / 2 )) are equal, or it must be tested whether the two Jacobi symbols 
J p(k) and Jp((— l)d~ fc )/ 2 ) (or J (2(— l) 1-fc / 2 )) are different in order to get the 
information that k cannot be a divisor of <p(P). In the two other cases, no in- 
formation can be obtained. The reason is that either the fc-th root of — 1 is not 
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defined, or from the equality of the Jacobi symbols it cannot be concluded that 
k divides p(P). 

To summarize, if 2k divides y>(P), the Jacobi symbol of k adopts non- 
random values. Furthermore, Corollary 0 shows that the resulting congruences 
Jp((— 1) C 1 — fc )/ 2 ) = J P (£;) and Jp(2(— l) 1-fc / 2 ) = J P (fc) for odd and even values 
of k are independent of the chosen ^k- Thus, it is only essential that a £ 2 k exists 
in Fp, but it is not necessary to know it. 


3.2 Leakage Corollaries 

In this section, we present tables for special composite integers N that contain 
the values the Jacobi symbol must adopt to leak information about the divisors 
of <p(N). For composite integers N with unknown factorization, we do not know 
the order of an arbitrary integer a, but we can compute the Jacobi symbol Jjv(a). 
Thus, we are only able to use the first implication of item 1 and and the second 
implication of item 2 of Theorem 0 For clarity, the following corollary divides 
these items further with respect to different residue classes of a prime P and an 
integer k. 

Corollary 2 (Leakage corollary for prime numbers). Let P be an odd 
prime number, k £ Fp. In any of the following six cases, there does not exist a 

€ Fp. 

If P a 1 (mod 4): 

Ifk is odd: If Ip (i 1-fc ) = 1^-1 = Jp(jfe). 

Ifk is even: If J P (2 i 2 ~ k ) = (-1 )(p 2 -D/s ^ J P (jfe). 

If P = 3 (mod 4) ; 

Ifk = 0 (mod 4): If J P (2(-l) 1 “ fc / 2 ) = (-l)( p2 +7)/8 ^ J P (k). 

Ifk = 1 (mod 4): If J P ((-l)< 1 - fe )/ 2 ) = 1 ± J P (fc). 

Ifk = 2 (mod 4): If J P (2(— l) x - fc / 2 ) = (-l)^ 2 ” 1 )/ 8 ^ Jp(jfe). 

Ifk is 3 (mod 4): If J P ((— l)( 1 - fe >/ 2 ) = -1 ^ Jp(jfe). 

Corollary 2 states which two Jacobi symbols must differ to be sure that the 
integer k is not a divisor of p(P). Thus, in some cases, the access to the Jacobi 
symbol is sufficient to decide whether a prime divides P — 1 or not. Next, 
the corollary is extended to composite integers N being the product of two 
distinct prime numbers P and Q. This leads to the tables shown in Figure 0 
The tables must be read in the following way: The four tables handle the four 
different residues of k modulo 4. Furthermore, the first two tables (horizontal 
direction) show the 64 combinations of the 8 different residues of P and Q 
modulo 16 (P, Q > 2) for even residues of k. The third tables was reduced to 
one a single row since it contains 64 values of —1. The fourth table shows the 
64 combinations of the 8 different residues of P and Q modulo 16 (P, Q > 2) for 
k = 3 (mod 4). The entries for each combination of P and Q illustrate which 
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Q \ P 
k=0+4s 


3 5 

7 

9 11 

13 

15 

Q \ p 

k=2+4s 

1 3 i 

5 7 9 11 13 

15 

5 







5 

: 

: : 

;; 

7 

+1 

+i -i 

-1 

+1 +1 

-1 

-i 

7 

-i +i - 

H -1 -1 +1 +1 

-l 

9 

-1 

-i +i 

+1 

-1 -1 

+1 

+i 

9 

-i +i - 

H -1 -1 +1 +1 

-l 

11 

-1 

-i +i 

+1 

-1 -1 

+1 

+i 

11 

+i -i - 

-1 +1 +1 -1 -1 

+i 

13 

+1 

+i -i 

-1 

+1 +1 

-1 

-i 

13 

+i -i - 

-1 +1 +1 -1 -1 

+i 

15 

+1 

+ i - 1 

- 1 

+ i +1 

- 1 

- 1 

15 

-i + i - 

,1 -1 -1 + 1 + i 

- 1 








Q \ p| 

k=3+4s 

1 3 ! 

5 7 9 11 13 

15 








1 

-1 +1 - 

H -1 -1 +1 +1 

-1 

Q \ p 
k=l+4s 


3 5 

7 

9 11 

13 

15 

3 

5 

-! n ^ 

^ -i -! n « 


* 


-1 -1 

- 1 

-1 -1 

- 1 

- 1 

9 

-i n - 

HI -1 -1 +1 II 

-1 








13 

+ i -i - 

HI -1 +1 -1 +1 

"J 








15 

+ i -l - 

HI -1 +1 -1 +1 

- 1 


Fig. 1. Entries: J pQ(k). Tables for N = PQ for different residues of P and Q modulo 16. 


value of the Jacobi symbol J jsr(k) reveals that there is no integer of order 2k for 
at least one of the primes P and Q. For example, the first entry of —1 in the 
upper left table represents the case k = 0 (mod 4) and P = Q = 1 (mod 16). 
Applying Corollary El to this combination yields Jp (2* 2-fc ) = J q (2 i 2 ~ k ) = 1 . 
The corresponding table entry of —1 shows that Jjv(fc) must be —1, therefore at 
least for one of the primes P or Q, there is no integer of order 2k. 

The conclusion is too weak to obtain knowledge regarding the ^-Hiding as- 
sumption, since (f)(N) could still be divisible by 2k. Some integers, even with 
unknown factorization, allow to obtain more information about the divisors of 
<p(N). These are integers of the form N = PQ 2e , since one of the two involved 
primes is a square, which is ignored by the Jacobi symbol. In this way, the 
Jacobi symbol leaks information about the other prime involved. If N has the 
form N = PQ 2e , then for the Jacobi symbol and a co-prime integer k > 2, 
Jjv(fc) = JpQ^fc) = Jp(fc) • J q{k) 2e = J Pa- 
using this fact, the tables displayed in Figure El show the values the Jacobi 
symbol Jjv(fc) must adopt such that 2k does not divide <p(P). 

Example: Suppose N = 1323801442080750176044871 and AT is of the form 
N = PQ 2e , e > 0. Suppose we want to test whether k = 41 divides P — 1. Since 
k = 1 (mod 4), the third table must be used. Thus, Jjv( 41) = —1. The table 
shows that whenever the Jacobi symbol of k is negative, k can not divide P —1. 
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q \ p 

k=0+4s 

Q \ P 

1 3 5 7 9 11 13 15 k=2+4s 

1 3 5 7 9 11 13 15 

Q \ p 

k=l+4s 

-1 "I +1 +1 "I "I +1 +1 * 

Q \ P 

1 3 5 7 9 11 13 15 k=3+4s 

-1 +1 +1 "I "I +1 +1 "I 

1 3 5 7 9 11 13 15 

Fig. 2. 

Entries: J P q 2 c (k). Tables for N = PQ 2e 

for different residues of P and Q 


modulo 16. 

In the next section, the last two tables in Figure H are used to invalidate the 
^-Hiding assumption when using moduli of the form N = PQ 2e and choosing 
P to hide the prime number in question. 

3.3 Application to the #-Hiding Assumption 

In both Definitions Hand |2I of Section |5| it is only required that N is a composite 
integer with unknown factorization. By applying our results from the previous 
sections, we show that this requirement is not sufficient. If the ^-Hiding assump- 
tion is applied to a modulus of the form PQ 2e , where the integer P is constructed 
in such a way that P hides a given prime, then the ^-Hiding assumption is vio- 
lated with non- negligible probability. Moduli of this form, mostly with e = 1, are 
used by several cryptographic protocols, as described by Boneh and Shacham |T] 
and used, e.g., by Poupard and Stern |BJ, to speed up some computations that 
profit from the form PQ 2e with e > 0 instead of PQ. Using the results of the 
previous sections, the following theorem can be stated: 

Theorem 2. Let N = PQ 2e and suppose that P hides p. Then, the <L>- Hiding 
assumption from Definition^ can be violated. An attacker can choose the hidden 
prime with an average success probability of | . 

The following notation is used: N is again of the form N = PQ 2 and T (N, k ) is 
the value of the corresponding table entry of Figure |2l 

Proof (of Theorem OJb Suppose that either pi or p -2 divides <p(N) and an attacker 
has to decide which of them divides <p(N). Without loss of generality, we assume 
that pi is the prime that is hidden by P. For this prime, Jjv(pi) T (N, pf) holds, 
because it divides P — 1 (see Theorem QJ . Thus, the attacker will find at least 
one matching Jacobi symbol concerning the primes p\ and p- 2 - From the attackers 
point of view, the probability that a prime Pi, j 6 { 1,2} divides tp(N) is 

f 0, Jjv(Pi) = T(N,pi) 

Prob(pi\ip(N )] = < 1, J jv(Pj) = T(A,Pj) (8) 

[3, Jiv(Pi) = Jiv(Pj) 
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where p, denotes the other one of the two primes. Note the factorization of N 
is not needed to construct the tables in figure El They are universally valid for 
moduli of the form N = PQ 2e and thus known to the attacker. Whenever the 
Jacobi symbol Jjv(Pi) is equal to T (N,pi), Theorem [T] states that pi cannot be 
a divisor of p(N), thus the probability is Prob\pi\<p(N)\ = 0. Consequently, the 
Jacobi symbol Jjv(p*) must be not equal to T(N,p i ), which indicates that it 
is the hidden prime. If both Jacobi symbols do not match the table entry, no 
information is leaked and the attacker cannot argue in any direction. Thus, in 
this case the probability is Prob\pi\ip(N)] = Since the primes p, are chosen 
randomly, it can be assumed that the Jacobi symbol Jjv(p 2 ) adopts random 
values of —1 and +1. The calculation of the total probability for the attacker 
to choose the hidden prime correctly is as follows: Whenever a Jacobi symbol 
evaluates to a value unequal to the table entry, it cannot be the prime that 
is hidden by P, so the attacker chooses the other one, the hidden one, with a 
probability of 1. When both Jacobi symbols evaluate to T (N, •), the attacker 
chooses the right one with a probability of |. Thus, in total there is an aver- 
age probability of | • 1 # | | * |to choose the correct prime, which proves 
Theorem El D 

Composite Integers. The situation is even worse when the ^-Hiding assump- 
tion is used with composite integers n\ and n -2 instead of the primes p\ and P 2 , 
as done, for example, by Gentry et al. 0. Assume that there is a modulus of 
the form N = PQ 2 and we want to determine whether the composite integer m, 
which is the product of m distinct primes greater than 2, divides ip(N). Suppose 
the Jacobi symbol is applied and the result does not allow to decide whether 
rii divides <p(N) or not. In this case, we can proceed with the prime factors of 
rii. Since rq is YYjLi Pj> the Jacobi symbol can simply be evaluated for all of its 
prime factors. If there is a prime pj with a Jacobi symbol that leaks the required 
information, we know that rii cannot divide <p(N), since from rii\ip(N) it follows 
that pj\ip(N) must also hold. If the integers in question consist only of 7 prime 
numbers, there already is a success probability of « 99% to choose the right 
integer. 

Corollary 3. Ifni = Ytj=\Pi an( ^ n 2 = n^=i 9j are ^ wo random, composite in- 
tegers that are odd and square free and ni is the hidden integer, then an attacker 
has a success probability of (1 — ) to choose the hidden integer. 

Proof. Let n% = n^Li Pj ail d n 2 = E[jLi Qj be two odd, square free integers. 
If N = PQ 2e and exactly one of the two integers m and ri 2 divides (p(N), the 
probability to choose the right one of the two possibilities is as follows. The case 
h = h = 1 was already addressed in the paper; it has a success probability of 
|. Note that if ni\ip(N), then also each divisor of n, is a divisor of N . Thus, if 
we find a divisor of n, that does not divide <p{N), we can conclude that n, is 
not the integer hidden by p(N). Since the same argument applies to all divisors 
that are prime numbers, it is sufficient to check all prime factors of n, whether 
they are divisors of tp(N) or not. 
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Table 1. Success Probability 

h = h\l 2 3 4 5 6 7 

[05 075 0.875 0.938 0.969 0.984 0.992 

Without loss of generality, we assume that n\ is the integer hidden by <p(N). For 
each of its l\ prime factors p,;, Jj\r(pi) i=- T (N,pt) must hold. For the other integer 
ri 2 , it follows that for each of its I 2 prime factors cp it holds with a probability 
of \ that J jv( 5 ») 7 ^ T (N, Qi ) and with a probability of \ that J n(qi) = T(V, <&). 
Whenever the first case occurs, no knowledge is gained. But whenever the latter 
case occurs, the information that ri 2 cannot be a divisor of tp(N) is gained, so ri\ 
is the hidden number. The method fails if for all prime factors Jjvfe^T (N, qi ) 
is obtained, which occurs with a probability of n*Li -Pro^JivOft) 7 ^ T(iV, <&)] = 
2 iy. Thus, the success probability of choosing the right integer is (1 — -!j). D 

Table [^illustrates the success probability of choosing the right prime for different 
numbers of prime factors. 

3.4 Discussion 

In the previous section we have shown that in some circumstances it can be 
efficiently decided whether a given prime p divides <p(N) or not. A necessary 
condition is that moduli of the form PQ 2e with e > 1 are used and P hides p. If 
someone implements a cryptographic protocol based on the ^-Hiding assumption 
and uses such moduli, an attacker has an average probability of | to choose the 
right prime, if the primes the attacker can choose from are selected randomly. In 
cases when it is desired to ask which composite number m is hidden by P, the 
success probability would be even greater than |, since for each prime factor of 
n the attacker has the success probability of |. 

There are two possible countermeasures to the presented attack. First, moduli 
of the form PQ 2e ,e > 1 should not be used in conjunction with the (^-Hiding 
assumption. Second, the primes a user can choose from should not be selected 
randomly, but only those primes that have a positive Jacobi symbol regarding 
N should be used. Thus, the assumption as stated in the original form should 
be adapted to avoid its vulnerability to the presented attack. 

4 Conclusions 

In this paper, it was shown that by utilizing an identity of 2fc-th roots in Zjv and 
the Jacobi symbol, it is possible to gain knowledge about the unknown factors 
of Euler’s totient function ip(N) even if N is computationally hard to factorize. 
This knowledge was used to invalidate the ^-Hiding assumption as defined by 
Cachin, Micali and Stadler j3] for moduli of the form N = PQ 2e with P hiding 
the prime in question, since the Jacobi symbol adopts non-random values when 
being applied to a factor of <p(N). Our results are important for evaluating 
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the security of cryptographic protocols that use the (^-Hiding assumption and 
exemplify the situation when it has to handled with care. 

There are several areas for future work. For example, an interesting issue is 
to examine the case when the integer k does not divide <p(N). In this case, 
the identity is not well defined. Thus, it should be investigated whether there 
are methods to bypass this problem to obtain further relationships between the 
Jacobi symbol and the factors of ip(N). Since the approach makes use of an 
identity of 2/e-tli roots in Zjv and this identity is only one of many, future work 
should be directed to analyze other results of such identities that may offer attack 
possibilities on the (^-Hiding assumption. 

Acknowledgements. The authors would like to thank Frederik Vercauteren for 
his excellent comments to improve the presentation of the material contained in 
this paper. 
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Abstract. Every public-key encryption scheme has to incorporate a cer- 
tain amount of randomness into its ciphertexts to provide semantic security 
against chosen ciphertext attacks (IND-CCA). The difference between the 
length of a ciphertext and the embedded message is called the ciphertext 
overhead. While a generic brute-force adversary running in 2* steps gives a 
theoretical lower bound of t bits on the ciphertext overhead for IND-CPA 
security, the best known IND-CCA secure schemes demand roughly 2t bits 
even in the random oracle model. Is the t-bit gap essential for achieving 
IND-CCA security? 

We close the gap by proposing an IND-CCA secure scheme whose 
ciphertext overhead matches the generic lower bound up to a small con- 
stant. Our scheme uses a variation of a four-round Feistel network in 
the random oracle model and hence belongs to the family of OAEP- 
based schemes. Maybe of independent interest is a new efficient method 
to encrypt long messages exceeding the length of the permutation while 
retaining the minimal overhead. 

1 Introduction 

I. 1 Background 

Motivation. Ever since Goldwasser and Micali introduced the concept of “prob- 
abilistic encryption” (TO] it is well understood that every public-key encryption 
scheme has to incorporate a certain amount of randomness into their ciphertexts 
in order to achieve semantic security. Thus a ciphertext c must be longer than 
the embedded message m and the difference £ 0 u := |c| — \m\ is called the cipher- 
text overhead. In order to achieve stronger security properties, the ciphertext 
overhead tends to be even larger due to the use of extended randomness or extra 
integrity checking mechanisms. In this paper we are asking for the minimal pos- 
sible ciphertext overhead to protect against adaptive chosen ciphertext attacks 
(IND-CCA security). 

A Generic Lower Bound. A ciphertext overhead of £ 0 h bits means that at 
most ^ 0 h bits of randomness can be incorporated into a ciphertext. A brute-force 

* Supported by the research program Sentinels (http://www.sentinels.nl). Sentinels 
is being financed by Technology Foundation STW, the Netherlands Organization for 
Scientific Research (NWO), and the Dutch Ministry of Economic Affairs. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 355 ^37lJ 2008. 
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Table 1. Upper bounds on the ciphertext overhead (up to small additive constants) 
in OAEP variants for (2 £ , 2 _t )-adversaries. The lower bound is t a h > t + e. OW: one- 
wayness. SPD-OW: set partial domain one-wayness. 


Scheme 

Ciphertext 

Overhead 

Assumption 
on TDP 

#Feistel 

rounds 

OAEP H El 

to h < 3t + 2e 

SPD-OW 

2 

OAEP + ESI 

to h < 3* + 2e 

OW 

2 

pss-e m 3 

to h < 2* + 2e 

SPD-OW 

2 

PSP2 S-Pad EU 

to h < 2t + 2e 

OW 

4 

OAEP-3R ESI 

to h <2 t + e 

OW 

3 

OAEP-4X (ours) 

to h =t + e 

OW 

4 


adversary in the IND-CPA experiment can exhaustively search for the random- 
ness used for the challenge ciphertext. After encrypting one of the challenge 
messages up to 2* times, it has an advantage of f2(2 t /2 £oh ). Requiring the ad- 
vantage to be smaller than 2 _£ (and ignoring small additive constants), it must 
hold that 

£oh > t + e. 

Accordingly, t+e bits axe a lower bound on the ciphertext overhead with respect 
to adversaries running in 2* steps and having a success probability of at most 2 -£ , 
by counting encryption as one step. (We refer to Section El for a more formal 
treatment.) We say that the ciphertext overhead is optimal if it matches the 
lower bound up to a (small) constant term, i.e., if £ 0 h < t + e + 0(l). Since every 
IND-CPA adversary is also an IND-CCA adversary, the above lower bound also 
applies to IND-CCA secure schemes. 

For a number of schemes the ciphertext overhead primarily depends on the 
size of the underlying number-theoretic primitive, which often suffers from more 
sophisticated attacks. For example, ciphertexts of ElGamal-type schemes con- 
tain at least one group element of overhead which must be longer than 2 t+e 
bits due to the generic square-root bounds on the discrete-logarithm problem. 
Hence, the ciphertext overhead of such schemes can never match the generic 
lower bound. 

Upper Bounds from Existing Schemes. Among the cryptosystems based 
on trapdoor permutations, there are ones whose ciphertext overhead is essen- 
tially independent of the size of the underlying permutation. We focus on such 
schemes for the rest of the paper. An example with optimal ciphertext overhead 
is the basic version of OAEP ^j, which omits the zero padding and therefore 
only offers IND-CPA security. Considering IND-CCA security, however, OAEP 
loses its optimal ciphertext overhead as exemplified in Section 12.21 On the other 
hand, concrete security proofs for existing schemes provide upper bounds on the 
ciphertext overhead with which the desired level of security is attained. Table Q 
summarizes the ciphertext overhead of existing schemes. Its content is discussed 
in the rest of this section. 
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IND-CCA Security via Validity Checking. As in OAEP, a common ap- 
proach |23 E3 BU EDI EH EQ to achieve IND-CCA security is to attach a 
deterministic validity string (such as zero-padding or a hash of the message, 
etc) to the message (or the ciphertext) so that decryption can verify and re- 
ject almost all invalid ciphertexts. The ciphertext overhead is thus determined 
by the size of the randomness and the validity string. OAEP and the schemes 
in fnm require randomness of 2t,+e bits plus a validity string of t+e bits. (See 
Section E| for details on how to compute these values.) Their ciphertext over- 
head is thus t 0 h = 3t+2e. The schemes in fTTTl n~Tj have a better security reduction 
and achieve fyh = 2t + 2e, which seems the best one can expect as long as en- 
cryption incorporates a validity string into the ciphertexts. 

Validity-free Encryption. A considerable step towards minimizing the ci- 
phertext overhead was the validity-free approach introduced by Phan and 
Pointcheval j22JEHI- I n their scheme (called 3-round OAEP) decryption never re- 
jects but returns a randomly looking message if a given ciphertext was not prop- 
erly created with the encryption algorithm. Since no validity string is needed, 
the ciphertext overhead only depends on the randomness. As we shall discuss 
later, their security reduction however forces the ciphertext overhead to be 
f'oh = k r = 2t + e bits because of a “quadratic term” qhQd/2 kr that appears in 
the success probability of their reduction. A more recent scheme in suffers 
from the same problem. In summary, these schemes successfully eliminate the 
validity string but instead demand an extended randomness to prove IND-CCA 
security. 

Encrypting long MESSAGES. The problem of getting optimal overhead be- 
comes even more difficult when considering longer messages. Notice that all 
above schemes limit the messages to the size of the permutation minus the 
overhead. To encrypt long inputs, [H E| suggest to stretch the width of the 
Feistel network to cover the entire message and apply the permutation only to 
a part of the output. But no general and formal treatment has been given to 
this methodology and it is unclear if and how it affects the ciphertext overhead. 
Furthermore, for schemes that use several Feistel rounds, this approach is ex- 
pensive in computation as every internal hash function has to deal with a long 
input or output. A number of methods for constructing hybrid encryption are 
available (e.g., O 0 IH El E|)> but they all increase the ciphertext overhead 
mainly because a one-time session-key is being encrypted. 

1.2 Our Contribution 

Our main contribution is an IND-CCA-secure public-key encryption scheme 
with optimal ciphertext overhead based on arbitrary family of trapdoor one- 
way permutation in the random oracle model. We follow the validity-free ap- 
proach of 3-round OAEP |22| but instead use a 4-round Feistel network. (See 
Figure 0 in Section 0 for a diagram.) We stress that the essential difference is 
not the increased number of rounds; it is rather the way we bind the message 
to the randomness in the first round of the Feistel network while most of OAEP 
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variants separately input the message and the randomness. (See Section II .31 for 
more intuition.) 

Our contribution is mostly theoretical; Our scheme demonstrates that lower 
and upper bounds on the ciphertext overhead with respect to IND-CCA security 
can match up to a small additive constant in the random oracle model. The 
design approach that binds the message to the randomness and the security 
proof may be of technical interest, too. In practice, when implemented with 
an 1024-bit RSA permutation (80-bit security), our scheme encrypts 943-bit 
and longer messages while it is 863 bits for a known best scheme, which is at 
most 9% increase of the message space. Though such a t-bit saving may have 
limited practical impact in general, the scheme could find applications with edgy 
requirements in bandwidth. 

We also introduce a novel method to securely combine simple passively secure 
symmetric encryption with the Feistel network to encrypt long messages while 
retaining the optimal ciphertext overhead. While the construction is interesting 
in that it suggests a new variant of a KEM that allows partial message recovery, 
it is interesting also in a theoretical sense as it illustrates the difference in the 
properties of the round functions in a 4-round Feistel network as it will be 
discussed later. 

1.3 Technical Overview 

Achieving Optimal Overhead. We explain the technical details in 3-round 
OAEP that seem to make it difficult to prove an optimal ciphertext overhead. 
The extended randomness of size k r > 2 1 + £ stems from a quadratic term 
Qh Qd/2 kr in the success probability of the security reduction. Since an adversary 
running in time 2 t can make at most qh < 2 t hash oracle queries and qd < 2 t 
decryption queries, we must assume that qh qd ~ (2*) 2 . Requiring qhQd/ 2 kr < 
2~ s results in k r > 2t + e. 

Where does this quadratic loss in the reduction actually come from? In the 
security proof, every time the simulated decryption oracle receives a ciphertext 
that was not legitimately generated by asking the random oracles, it returns a 
random plaintext. Later, it patches the hash table for the simulated randomness 
so that the hash output looks consistent. The patching fails if the randomness 
has already been asked to the random oracle. This happens with probability at 
most qh/ 2 kr since there are at most qh hash queries. Throughout the attack, 
there are at most qd decryption queries and hence the error probability of the 
patching is bounded by qh qd/2 kr . 

Our main technical contribution is to provide a security analysis for our 
scheme where only linear terms of the form qh/2 kr or qd/2 k " r appear. We over- 
come the problem observed in 3-round OAEP by feeding the randomness together 
with a part of the input message (say mi) into the hash function, i.e., by com- 
puting Hi(r || mi). This link between the randomness and the message allows 
the reduction to partition hash queries by mi and therefore reducing the error 
probability in patching the hash table to qh, mi / 2 fc ’’, where qh, mi is the num- 
ber of hash queries with respect to mi. By summing up the probabilities for 
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all mi returned from the decryption oracle, the error probability is bounded by 
Emi — Qh/ 2 fcr - The quadratic term is thus eliminated. The fourth 

round of the Feistel network is then needed to cover mi. 

Encrypting Long Messages. In order to encrypt long messages exceeding 
the size of the permutation (while retaining the optimal overhead) , we incorpo- 
rate the idea of the Tag-KEM/DEM framework [I] that allows to use a simple 
passively secure length-preserving symmetric cipher. The exceeding part of the 
message is encrypted with the symmetric cipher whose key is derived from the 
randomness used in the asymmetric part of encryption. The symmetric part is 
then tied to the asymmetric part of the ciphertext by feeding it back into one 
of the hash function used in the Feistel network. Conceptually, our approach is 
similar to Tag-KEMs with partial ciphertext recovery £>( but in our case the 
message can be directly recovered. Namely, the main part of our construction 
can be used as a Tag-KEM with partial message recovery. 

A concrete technical difficulty is how and where to include the feedback from 
the symmetric part. Including it in the F-function (random oracle) in every 
round of the 4-round Feistel network should work but may be redundant. Is it 
then secure if the feedback is given only to one of the F-functions? Which one? 
m showed that the inner two rounds have different properties than the outer 
two ones. Does that also apply to our case? Our result shows that it is sufficient 
to give the feedback to one of the inner two hash functions. We remark that when 
including the feedback only in the outer hash functions then either our security 
proof does no longer hold or there is a concrete attack. We refer to Section 13.31 
for further details. 

1.4 Related Work 

In Other Models. j22j constructed a simple scheme with optimal ciphertext 
overhead in the ideal full-domain permutation model. Looking at the construc- 
tion and the security proof, however, one can see that the model is very strong 
and has little difference from idealizing the encryption function itself. Recently 
it is shown that ideal full-domain permutation can be constructed using random 
oracles EH but the reduction is very costly and a tight reduction needed to re- 
tain the optimal overhead is highly unlikely. Note that m could only present a 
non-optimal scheme in the random oracle model, which shows the difficulty of 
achieving the optimality. 

For Short Messages. Schemes based on general one-way permutations can 
never offer the optimal overhead for messages shorter than the size of the permu- 
tation. For the state of art in this issue, we refer to [2j which presents a scheme 
that offers non-optimal but £ 0 h >2 t + e that is currently the shortest overhead 
for messages of arbitrary (small) length. It is left as another open problem to 
construct a scheme with optimal overhead for arbitrary message size. 
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2 Lower Bound of Ciphertext Overhead 

We follow the standard definition of public-key encryption PKE = (Q. 8, V) and 
indistinguishability against chosen plaintext attacks (IND-CPA) and adaptive 
chosen ciphertext attacks (IND-CCA). For formal definitions, we refer to the 
full version P . 

2.1 General Argument 

Let PKE = ( G,8,T > ) be a public-key encryption scheme and let M and 1Z be 
the message and randomness space associated to a public-key pk. For ( pk , sk) <— 
G(l k ) and M e M, let C(M) denote the set of ciphertexts that recover message 
M. The ciphertext overhead with respect to k is defined by l k h = \ 8 v k (M; r) | — 
\M\. To obtain a simple form of the lower bound, we restrict ourselves to PKE 
where £ k h is a fixed positive constant for any pk £ Q( l k ), M £ M. and r £ 1Z. 

Let A be an adversary that runs in 2 t steps and breaks the semantic (IND- 
CPA) security of PKE with advantage at most 2~ e . To study the relation between 
the adversary’s ability and the ciphertext overhead, we treat t, e independently 
from k and represent the bounds of the ciphertext overhead as a function £ k h (t, e). 
In the following argument, we count every encryption as one step. A launches 
the following attack. 

1. Given pk generated by ( pk,sk ) <— G(l k ), pick arbitrary M 0 and Mi of the 
same length from M. Send (Mo, Mi) to the challenger and receive c* = 
8 pk (M b ) where 6 <- {0, 1}. 

2. Repeat the following up to 2 t times. 

- r<- U, c = 8 pk (M 0 ;r). 

- If c = c*, output 6 = 0 and stop. 

3. Output 6=1. 

For a string c, let p(c) denote the probability that c = 8 p k(M 0 -, r) happens for 
uniformly chosen r. Similarly, let p'(pk) denote the probability that pk is selected 
by G(l k ). The advantage of adversary A in breaking the semantic security with 
respect to pk is 


Adv A ,pfc = I Pr[6 = 0 I 6 = 0] - Pr[6 = 0 | 6 = 1]| 

= Pr[6 = 0 | 6 = 0] - 0 

= £ p(c)(l-(l-p(c)f). (1) 

ceC(Mo) 

Let r) be the min-entropy with respect to the ciphertexts in C(M 0 ) in bits. Since 
p(c) > ^ for any c £ C(M 0 ), 

Adv A , pfe > POX 1 - (! - ^ - ^T- (2) 
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Since rj < we have 


Adv A (/c) = ^2 P'(P k ) 

P keS(k) 

> p ' w 

pkeg(k) 

>±* 

- 2 2^ 


AdvA lP fc 

/ 2‘ 2 4 — 1\ 
V2^ _ ^rJ 


(3) 


Since we require Adv A (fe) <2 e , it holds that 2 e > \ • -^- for i, e > 1. Thus 
we have the lower bound: 


£ k h (t,e) >t + s- 1 . (4) 

If c <— £ p k(M: r) is bijective with respect to c and r, the adversary can search r 
one by one without duplication and the advantage for this case is Adv A)P fc = |^, 
which results in £° h ( t , e) > t + e. 

In the above discussion we used the simplified argument to count one en- 
cryption as one single time unit. More generally, one should count each funda- 
mental cryptographic operation (such as hashing, group operation, etc.) as one 
step. Hence the value 2* is understood as the total number of times the adver- 
sary performs the fundamental cryptographic operations. A precise assessment 
is possible by incorporating an adequate scaling factor that represent the exact 
number of steps (depending on the computational model). 

2.2 Example: Ciphertext Overhead of OAEP 

OAEP includes randomness of size k r and zero-padding of size k v . These parame- 
ters define the ciphertext overhead as £ 0 h = k r + k v . Together with the size of per- 
mutation, n, they are provided as a security parameter k = (n. k r , k v ) . According 
to [Q3 Th. 1] , the advantage of an adversary A against the IND-CCA security of 
OAEP, making up to q decryption and hash queries is upper bounded by 

Adv A ca (/c) < e spd (n) + ^ ^ , (5) 

where e sp d(n) is the probability of breaking set partial one-wayness of the un- 
derlying trapdoor permutation of size n, and c, d > 1 are two (small) constants. 

Consider an (2 t ,2 _E ) adversary that can make at most q < 2* oracle queries. 
Since parameter n can be chosen essentially independently from k r and k v , we 
can safely assume that e sp d(n) is small enough. Assuming e sp d(n) < c"2 _£ with 
a constant 0 < c" < 4 for concreteness, each of the remaining two terms in Q 
must be smaller than 2 _e — e sp d(n) > (1 — c") 2~ e . Namely, 

7J7 < (!- c ") 2_£ and Tfc- < (! - c ") 2 ~ £ ( 6 ) 
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Fig. 1. The diagram of (a part of) encryption. Input message is m = mi || m 2 || m e € 
{0, l} fcm i x{0, l } fcm 2 x{0, 1}* and the randomness is re {0, l} fcr . The actual ciphertext 
is ( u , c) where u = f(t || s). 


must hold. Accordingly, in order to attain the desired security level, it is sufficient 
to choose 

k r = 2t + e and k v = t + e (7) 

plus some small positive constants. As a result, the ciphertext overhead of OAEP 
is upper bounded by 

k r + k v = 3t + 2 e + 0(1). (8) 

3 Proposed Scheme 

3.1 Description 

Our construction requires a symmetric-key encryption scheme SEfc e = (E, D) and 
a trapdoor permutation family V n as building blocks. The symmetric encryption 
scheme SE must be length-preserving and passively secure (indistinguishable 
against passive attacks), and the trapdoor permutation family must be one-way. 
For formal definitions, we refer to the full version |3j. 

Let (n, k e , k r ) be a set of security parameters where n represents the bit-length 
of the trapdoor permutation, k e is the key size of the symmetric-key encryption, 
and k r is the size of randomness incorporated into the ciphertext. The proposed 
scheme PKE = (Q,£,T>) is the following. See also Figure 0 for a diagram of 
encryption. 

Key Generation Q : Given a security parameter k = (n. k e . Ay) for n > 6 k r , 
set parameters k mi and k„ l2 so that 


k m 1 > 2 k r , k m2 > 3 k r , n= k r + k mi + k n 


(9) 
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are fulfilled. Then select (/, / x ) <— V n (the trapdoor permutation genera- 
tor) and hash functions G and Hi for i = 1, 2, 3, 4 such that 

G : {0, l} k r+k mi _> {0,l} fe «, Hi : 

H 2 : {0, l} fc -2 _* {0, 1 }*r+k mi t Ha . {o, 1}* -»• {0, l} fe -2 , 

H a : {0, l} fc -2 _» {0, 1 }*r+k mi . 

The private-key is / _1 . The public-key includes /, SEfc e , and the hash func- 
tions with associated parameters. 

Encryption £: Given a plaintext m £ {0,1}*, first chop it into three blocks, 
mi, m2, and m e such that 

m = mi || m 2 || m e £ {0, l} fcmi x {0, l} fem a x {0, 1}*. 

Then choose random r <— {0, l} fcr and compute 

2 = r||mi, w = G(z), c=E w (m e ), 

hi = Hi(z), v=hi®m 2 , h 2 = H 2 (v), d = h 2 ®z, 

h 3 = H 3 (d || c), s=h 3 ®v, h A = H^s), t = h A ®d, 

and u = f(t || s). The ciphertext is ( u , c) £ {0, l} n X {0, 1}*. 

Decryption V: Given a ciphertext ( u,c ) £ {0,1}” x {0,l} fce , compute y = 
/ _1 (u) and parse y as y = 1 1| s £ {0, l} fe '-+ fe ”n x {0, l} fcm 2. Then compute 
the following values: 

h A = H A (s), d=h A ®t, h 3 = H 3 (d\\c), v = h 3 ®s, 

h 2 = H 2 (v), z = h 2 ®d , hi=Hi(z), m 2 = h\®v, 

w = G(z), m e = D w (c), 

and parse z = r || mi £ {0, l} fcr x {0, l} fe ™i . The output is mi || m 2 || m e . 

3.2 Security and Optimality 

The following theorems hold for PKE described in the previous section. A proof 
sketch is in Section 0] and the complete proof is in |3I . 

Theorem 1 (Chosen Ciphertext Security). Suppose A is an adversary that 
runs in time r with at most qh hash queries and qd decryption queries. Then there 
exist an adversaries B that runs in time at most r + 0(q%) and an adversary C 
that runs in time at most r + 0(1) with 

Ad vr(k) < Adv^ E pa (fc e ) + 2Adv° wp (n) + 0(^-^) . 

Note that the number of hash queries includes the ones made through the decryp- 
tion queries. In an asymptotic sense, Theorem 0 states that the above scheme 
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is semantically secure against adaptive chosen message attacks in the random 
oracle model if the trapdoor permutation V is one-way and SE is passively secure. 

As it is the case for most OAEP variants, our security reduction includes 
a quadratic factor q \ in the running time of the adversary against the one- 
way permutation. It results in demanding larger n which increases the minimal 
length of the message the scheme can encrypt attaining the optimal overhead. 
The approach from |19, Q] helps achieving a linear running time if desired. 

Theorem 2 (Optimality in Ciphertext Overhead). If Adv™ 5 g pa (fc e ) + 
2Advg 1S p(n) < 2“( £+1 ) holds for all adversaries C and B running in time 2 t , 
then k r = £ 0 h = t + s + 4 is sufficient for messages of size equal or larger than 
n — k r bits. 

Note that parameters k e and n are independent of the overhead and can be set 
arbitrary to fulfill the condition. 


3.3 Notes on Variations 

Why Not 3 Rounds? Consider the 3-round version of our scheme obtained by 
removing H 4 and simply letting t = d. We show that the 3-round version is not 
simulatable, at least with the technique that constructs a plaintext extractor 
from the queries to the random oracles. Since the following argument holds 
regardless of the presence of the extended part c, let us ignore it. 

Suppose that the adversary creates two ciphertexts u and v! by randomly 
choosing t, s,t' and computing s' = H 3 (t) © s ® H 3 (t'), u = f(t || s), and u! = 
f(t' || s'). Since H 3 (t) © s = H 3 {t r ) ©s', decrypting u and u’ yield the same v. 
However, such a relation between u and u' can not be detected by the simulator 
since H 2 (v) is not asked. Accordingly the decryption oracle must return random 
mi || to 2 and mi' || m 2 to answer to the queries on u and u' , respectively. Then 
the adversary asks H 2 (v) and obtains h- 2 . For consistency, it must hold that 
/12 = (r || mi) © t = ( r ' || toi') © t' . However, since mi and mi' are randomly 
chosen before the simulator sees t and t' , such a relation can be fulfilled only by 
chance. The adversary can notice the inconsistency by checking the relation and 
the simulation should fail. 

Including c Into a Hash Other than H 3 . We discuss on the variants that 
includes c into one of the hash functions rather than H 3 . In summary, only the 
inner two hash functions, H 2 and H 3 , are the right choice. 

- Case of Hi(z\\c). This is clearly a wrong choice since (u*,c*) and (it* , c) 
yield the same mi. 

- Case of H 2 (v || c). It is possible to modify the proof of Theorem □ to show 
that this variant is also secure. 

- Case of Hi(s || c). For this case, we can show that a (powerful) adversary can 
distinguish the simulation from the reality. The underlying idea is that, given 
a challenge ciphertext (u*,c*), the adversary builds a ciphertext (it, c) that 
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yields the same plaintext without making queries to H 3 . Suppose that the 
adversary finds ( t*,s *). It obtains h\ = H±(s* || c*) and d* = h\®t*. It then 
selects arbitrary c and asks h 4 = H^s* || c). Note that c must be different 
from c*. It further computes t = d* ® hi and u = f(t\\ s*). Observe that 
( u , c) recovers d* and v* since d = || c) = d*®hi®H 4 ,(s* || c) = d*® 

h 4 ®hi = d* and v = s* ® H 3 (d) = s* ® H 3 (d*) = v*. Therefore, the selected 
challenge message is returned if ( u , c) is asked to the real decryption oracle. 
However, since H 3 (d*) has only been defined implicitly and was never directly 
asked by the adversary, the simulated decryption oracle cannot detect such 
a case and returns a random message which is noticed by the adversary. 

4 Proofs 

4.1 Proof of Theorem (Sketch) 

We proceed in games. Let Xi denote the event that adversary A outputs b = b 

in Game i. 

Game 0. The original CCA game. By definition, we have 

Pr[X 0 ] = \ ■ Ad vr(fc) + (10) 

Game 1 . Modify the challenge oracle so that it returns random u* that is 

independent from the challenge messages as follows. 


Challenge Oracle (Mo, Mi). 

C.l Choose u* <— {0, 1}". 

C.2 Choose b <— {0,1} and split Mi, into mi*, m2* and m e *, accordingly. 

Then choose w* *— {0, 1}*® and compute c* = E„,* (m e *). 

C.3 Return (u*, c*). 


For u*, c* and w* , let ( t*,s*,d*,v*,z *, K% , h 3 , hJj , hi ) be a consistent internal 
state. Let AskHt denote an event such that (d* || c*) is asked to H 3 after s* is 
asked to i/ 4 . The following bound can be shown. 

|Pr[X„] - Pt[XJ| < ^ + §7 + ^ + Pr[AskH+] (11) 

It is straightforward to see that distinguishing b breaks the passive security 
of the symmetric encryption since only the symmetric part is related to b in 
Game 0 We thus have 

Pr[^]<i + i-Adv“r(fc e ), (12) 

for some suitable adversary C that has similar running time as A. 
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To bound Pr [AskHg~], we initiate a new series of sub-games starting from 
Game d In the following games, each random oracle X is simulated with an 
independent list L x that is initially empty. When X is first asked on fresh input 
a, output b is uniformly selected and (a, b) is stored in L x ■ If a has been asked 
before, the corresponding b is read from L x and returned. By (a, [&]) G L x , we 
mean that table L x includes an entry whose first element is a. If such entry 
exists, the second element is denoted by b. List L x is consistent for oracle X if 
every input a is unique in L x . By % we denote the same event in the following 
sub-games Gamed*- 

Game 1.0. This game is the same as Game d Since this is just a change of 
notation, we have 

Pr[AskH+J » Pr[Ti. 0 .] . (13) 


Game 1.1. The game is modified so that it immediately stops at the moment 
Askbl J happens. To capture event AskHg , hash oracle H :i is modified so that 
it checks whether the query d\\c equals the value d* || c* by searching Lha for 
corresponding s*. 


Hash Oracle H 3 (d\\c). 

A.l If (d|| c, [I13]) G Lh3 , return h 3 . 

A. 2 Choose /13 <— (0, l} fcm2 and add (d|| c, h 3 ) to Lhz- 
A. 3 Repeat the following for every entry (/i4,s) in Lha- 

(a) Compute t = d®h 4 ,u = fit || s). 

(b) If u = u * , abort the game, (event: Ti.i.). 

A. 4 Return h 3 . 


Since this modification does not change the view of the adversary unless AskHg 
happens, we have 

Pr[Fi. 0 .] = Pr[Fi.i.] . (14) 


Game 1.2. Modify the decryption oracle so that it returns a random message 
when a decryption query is made on a ciphertext whose associated d || c was not 
yet asked to H :i . Modify H :i for consistency, too. 


Decryption Oracle T>{u, c). 

D.l Compute 1 1| s = / -1 (u). 

D.2 h 4 <- H 4 (s). 

D.3 Let d = t®h 4 . If {d || c, [I13]) 0 Let 3, go to the next step. Otherwise, return 
mi || m2 || m e computed normally by using t, s, d, and h 3 . 

D.4 Return mi || m2 || m e computed as follows. 

(a) Select mi, m2, and w uniformly and compute m e = D w (c). 

(b) Add (u, c, w,mi,m 2 ) to L mtch . 
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Hash Oracle Hz(d\\c). 

A.l If ( d || c, [/13]) € Lh3, return /13. 

A. 2 Choose /13 <— {0, l} fcm2 and put (d || c, /13) to Lh3- 
A. 3 Repeat the following for every entry ( h 4 ,s ) in Lha- 

(a) Compute t= d®h 4 ,u = f(t || s), v = /13 ® s. 

(b) If it = u * , abort the game, (event: l‘\.2.)- 

(c) If (it, c, [iw], [mi], [m2]) € Rwatch, do as follows. 

— Select r <— (0, \} kr and compute z = r || mi, h 2 = d © z, hi = 
m2 ® v. 

- Add (z, w), (z, hi), and ( v , fe) to Lg, Lhi, and Lh2, respectively. 
— Remove entry («, c, w, mi, m2) from L wa tch- 
A. 4 Return /i3. 


The following bound can be shown. 


IPr^i.u] - Pr[-Fi. 2 .]J < ^ 


qh 2 Qd, 

2 k m2 ■ 


(15) 


Game 1.3. Modify the decryption oracle so that it also returns a random mes- 
sage when a decryption query is made on a ciphertext whose associated s was 
not yet asked to H 4 . 


Decryption Oracle T>(u,c). 

D.l Compute 1 1| s = / -1 (u). 

D.2 If (s, [h 4 ]) € Lh4 and (d||c, [fo]) € Lh3 for d = t ® h 4 , then return 
mi || m2 || m e computed normally by using t, s, d, and hz. 

D.3 Otherwise, return mi || m2 || m e computed as follows. 

(a) Select mi, m2, and w uniformly and compute m e = D„,(c). 

(b) Add (u, c, w,mi,m 2 ) to Lwatch- 


The following bound can be shown. 

|Pr[/q. 2; ] - Pr[Fi. 3 .]| < (16) 


Game 1.4. Modify the decryption oracle so that it uses a lookup table instead 
of computing 1 1| s = / -1 (u). 


Decryption Oracle D(u,c). 

D.l If (u, c, [f], [s] ) € Lx, then continue the normal decryption procedure by 
using t and s and return the obtained message. 

D.2 Otherwise, return random mi || m2 || m e computed as follows. 

(a) Select mi, m2, and w uniformly and compute m e = D„,(c). 

(b) Add ( u , c, w, mi, m2) to L wa tch and return mi || m 2 || m e . 
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Hash Oracle H 3 (d\\c). 

A.l If (d|| c, [I13]) e Lh3 , return h 3 . 

A. 2 Choose h 3 <— {0, l} fcm2 and put (d|| c,h 3 ) to Lh3- 
A. 3 Repeat the following for every entry (hi,s) in Lha- 

(a) Compute t = d, ® hi, U = f(t || s), v = /13 © s. 

(b) If u = u* , abort the game with status 1 (event: Fi.a.)- 

(c) If (u, c, [in], [mi], [m2]) €E Rwatch, do as follows 

— Select r <— (0, l}* !r and compute z = r\\ mi, hi = d ® z, hi = 

— Add (z, in), (z, hi), and (u, hi) to Lg, Lhi, and Lh2, respectively. 
— Remove entry (u,c,w,rrii,mi) from L watc h ■ 

(d) Put (u, c, t, s) to Lx- 
A. 4 Return h 3 . 


Hash Oracle Ha(s). 

B.l If (s, [hi]) 6 Lha, return hi. 

B.2 Choose hi <— {0, and put (s, hi) to Lha- 

B.3 Repeat the following for every entry ([d], [c], [/13]) in Lh3- 

(a) Let t = d ® hi, v = s®h 3 , and u = f(t || s). 

(b) Put (it, c, t, s) to Lx ■ 

B.4 Return hi. 


Since the adversary’s view is not influenced by this modification, we have 

Pr[F 1 .3.]=Pr[F 1 .4.]. (17) 

Game ITT! docs not use / -1 and any *-marked internal values at all. Challenge 
u* is a random element in {0, l} n , and s* || t* such that f(s* || t*) = u* can be 
extracted if I tnn happens. It is thus straightforward to construct adversary B 
that computes / -1 using adversary A that causes We thus have 

Pr[^TTl < Ad v°7(fc) . (18) 

The rimning time of B is bounded by that of A plus 
Prom (II I II . (HI, (II 61 . (II 71) . and (II 81) . we have 

Adv^ ca (fc) < AdvJ? 5 £ Pa (fc e ) + 2 • Advg^(n) 

, 4 (%i+9s) , W d 2 q h 2 (q d + l) , 2 q h 3 (q d + l) 

+ 2 fcr + 2 fc ™i 2 fc -2 + 2 ^+ fe -i ' 

Finally, using k mi > 2 Ay, k rtl2 > 3 Ay and setting q h = q hl + q h2 + q h . s + q hi + q g , 
this simplifies to the claimed form in the theorem as follows. 


Advr (fc) < Adv^ s - pa (fce) + 2 • Adv° wp (n) + ^ ^ 

< Adv^E Pa (fce) + 2 • Adv° wp (n) + O(^J^) 


(19) 
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4.2 Proof of Theorem El 

Fix e and t. We require Adv^ ca (fc) < l/2 e for adversaries A running time in 2*. 
Using the explicit bound (ITO from the proof of Theorem GJ it is sufficient to set 
k r so that 


4 qh 2 c/|_ 2q h (q d + 1) _ 1_ 


2 3k r 


= dl (2°) 


is fulfilled. By assuming that k e and n are set to satisfy 

Adv c"sE Pa ( fc e) + 2 • Adv° w P(n) < l/2 e+1 , 
it is sufficient to choose k r such that 

4 qh _2g|_ 2q h (q d +l) 1 

2 kr + 2 2k r + 2 3k r - 2 e+l ■ 


To achieve semantic security, qh/2 kr < 1 and q d / 2 kr < 1 must hold. Since 2 t 
upper bounds the running time, qh < 2* and q,i < 2 t must hold, too. By using 
these bounds, the left side of flZB simplifies to 


(22) 


Thus we have 


which results in t+e + 4 < k r . Since i Q h = k r holds for all messages of size equal 
or larger than n — k r bits, t 0 u = k r = t + e + 4 is sufficient. It matches the lower 
bound up to the constant term. 

5 Conclusion and Open Problems 

We propose a variant of OAEP that attains an optimal overhead in the random 
oracle model and thereby proved that the lower bound of ciphertext overhead is 
tight even with respect to IND-CCA security. Open problems include: 

— Show the bound without random oracles. In the standard model, the schemes 
in [3E| have the shortest known ciphertext overhead consisting of two group 
elements that results in £ 0 h > 4t + 2e bits. It remains as a very interesting 
open question whether or not the optimality can be achieved without random 
oracles. 

— Optimal ciphertext overhead for shorter messages. We refer to 0 whose 
(DH-based) schemes offer £ c h >2 1 + e for short messages. 

— Show that 4-round is necessary (or not) in our construction. 
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Abstract. In this paper, we show that two variants of Stem’s identification 
scheme [IEEE Transaction on Information Theory ’96] are provahly secure 
against concurrent attack under the assumptions on the worst-case hardness 
of lattice problems. These assumptions are weaker than those for the previous 
lattice-based identification schemes of Micciancio and Vadhan [CRYPTO ’03] 
and of Lyubashevsky [PKC ’08]. We also construct efficient ad hoc anonymous 
identification schemes based on the lattice problems by modifying the variants. 

Keywords: Lattice-based cryptography, identification schemes, concurrent secu- 
rity, ad hoc anonymous identification schemes. 


1 Introduction 

Many researchers have so far developed cryptographic schemes based on combinato- 
rial problems related to knapsacks, codes, and lattices, due to the intractability of the 
underlying problems, the efficiency of primitive operations, and the threat of quantum 
computers to number- theoretic schemes. 

The cryptographic schemes based on combinatorial problems usually assume the 
average-case hardness of the underlying problem because they have to deal with ran- 
domly generated cryptographic instances such as keys, plaintexts, and ciphertexts. This 
implies security risk in such schemes since it is generally hard to show their average- 
case hardness. In fact, several attacks against such schemes, e.g., GSl, were found in 
practical settings. The cryptographic schemes based only on the average-case hardness 
are more likely to be at risk of these kinds of attacks. 

It is therefore significant to guarantee the security under the worst-case hardness. 
Altai m showed that the average-case hardness of some lattice problem is equivalent 
to its worst-case hardness. His seminal result opened the way to cryptographic schemes 
based on the worst-case hardness of lattice problems. Several lattice-based schemes 
were proposed such as public-key encryption schemes, e.g., by Ajtai and Dwork B, 
and hash functions 111 II 11191 . 

Among varieties of lattice-based cryptographic schemes, there are very few results 
on the identification (ID) schemes based on the worst-case hardness of lattice problems. 
For example, Micciancio and Vadhan proposed ID schemes based on the worst-case 
hardness of lattice problems, such as the gap versions of the Shortest Vector Problem. 
These schemes are obtained from their statistical zero-knowledge protocol with efficient 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 372^389] 2008. 
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provers cut Recently, Lyubashevsky also constructed lattice-based ID schemes secure 
against active attack 11411 . Unfortunately, the approximation factors of the underlying 
problems in their schemes are large for practical use as noted in irrei Sec. 5] since secu- 
rity parameters for ID schemes should be large in order to achieve the required hardness. 
Therefore, it is necessary to construct the schemes based on weaker assumptions, i.e., 
the assumptions on lattice problems with smaller approximation factors. 

1.1 Our Contributions 

In this paper, we propose two variants, which we call SJ L and S£ /IL , of Stem’s ID 
scheme ESI. These variants are secure against concurrent attackQ under the assump- 
tions on the worst-case hardness of lattice problems, while Stern’s original scheme as- 
sumes the average-case hardness of certain decoding problem in coding theory and the 
existence of a collision-resistant hash function, and its security is only against passive 
attack. The underlying problems of SJ L and S£ /IL are the gap version of the Shortest 
Vector Problem with approximation factor 0(ri) (GapSVP^) and the Shortest Vector 
Problem for ideal lattices with approximation factor O(n) (A(/)-SVP? n) ), respectively, 
where 0(g(n)) = 0(g(n) poly log g(n)) for a function g in n, The assumptions are weaker 
than those for the previous lattice-based ID schemes . We stress that such weaker 

assumptions will take a step for practical use of lattice-based ID schemes. 

Moreover, we show that our variants yield efficient ad hoc anonymous identification 
schemes (AID schemes). In an AID scheme, which introduced by Dodis, Kiayias, Ni- 
colosi, and Shoup m , the protocol is done by two parties, a prover and verifier, but we 
implicitly suppose an ad hoc group. Given public keys of all members of the group to 
the verifier (and the prover), the goal is to convince the verifier that the prover belongs 
to the group, without being specified who the prover is of the group, if and only if the 
prover is an actual member of the group. We formally define a concurrent version of 
the security notion, the security against impersonation under concurrent chosen-group 
attack, and prove that our AID schemes satisfy this security notion. Our schemes are 
based on the worst-case hardness of GapSVP^ and A(/)-SVPg {;!) . To authors’ best 
knowledge, this is the first non-trivial construction under the assumption of the worst- 
case hardness of lattice problems. 

1.2 Main Ideas 

In this section, we only discuss the ID scheme S£ L based on GapS VP. We first construct 
a string commitment scheme based on the lattice problem which will be used in ID 
schemes. Then we will describe the idea of the proof on concurrent security of the 
variant. Finally, we give a sketch of our construction method of an AID scheme. 

Before giving the overview, we review the underlying problem GapSVP y and the 
fundamental problem, the Small Integer Solution Problem (SIS,. m /j), on which our 

1 In active attack, an adversary could interact with the prover prior to impersonation. In concur- 
rent attack, an adversary could interact with many different prover “clones” concurrently prior 
to impersonation. Each clone has the same secret key, but has independent random coins and 
maintains its own state. After interacting with many clones, the adversary tries impersonation. 
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variants are directly based. The informal definitions and the relationship of two prob- 
lems are given as follows: 

- Given a random n-by-m matrix A whose elements are in Z q , the problem 
is finding an w-dimensional integral non-zero vector z such that Az, = 0 (mod q) 
and \\z\\ 2 <0. 

- GapSVP": Given an w-dimensional lattice L and a rational number d, the problem 
is outputting YES if there exists a non-zero vector v g L such that ||v|| 2 < d, or NO 
if for any non-zero vector veL ||v|| 2 > yd. 

- (El) For suitable q and m, if there exists a probabilistic polynomial-time algorithm 
which solves SIS ? , mJ g on the average then there exists a probabilistic polynomial- 
time algorithm which solves GapSVP^ n , (2) in the worst case. 

As in Lyubashevsky’s result 111 41 . we use the above relationship for our security reduc- 
tion. Hence we mainly deals with SIS instead of GapSVP. 

We simply obtain the lattice-based hash functions as in Ell : Choose a random matrix 
A G Z” Xm . For any x € {0, l} m , a hash value is f\(x) := Ax mod q. A collision (x, x') 
of the hash function f\ implies a solution z = x - x' of SIS ? Thus, the security of 
the hash functions is based on the worst-case hardness of GapSVP^ . 

String commitment schemes: We construct a string commitment scheme from lattice- 
based hash functions. General constructions of string commitment schemes from 
collision-resistant hash functions were shown by Damgard, Pedersen, and Pfizmann 0 
and Halevi and Micali 111 21 . Stern also constructed a string commitment scheme from 
collision-resistant hash functions in Sec. Ill- A]: Let h be a hash function. Given a 

string s and a random string p, a commitment is h(p o (p © j)), where o and ffi denote 
the concatenation and XOR operators, respectively. However, its hiding property was 
not shown. We construct a string commitment scheme by a more direct and simpler 
way than the general one and Stern’s one: Given s and p, a commitment is h(p o s), 
where h is a lattice-based hash function. The binding property simply follows from the 
collision-resistance property of h. We derive its hiding property from e-regularity of h 
for some negligible function e (see, e.g., m Sec. 4.1]). As mentioned in the above, we 
have collision-resistant lattice-based hash functions based on the worst-case hardness 
of GapSVP, while Stem assumed the existence of collision-resistant hash functions. 
Our ID scheme and its concurrent security: In Stem’s scheme and our variant, a prover 
has a binary vector x with fixed Hamming weight as his/her secret key. We also feed to 
the prover and the verifier a matrix A as a system parameter and a vector y as the public 
key corresponding to x. The task of the prover is to convince the verifier that he/she 
knows a correct secret key x satisfying a relation Ax = y and x has a valid weight. 

In Stern’s protocol G3l, the prover computes three commitments and sends them to 
the verifier. The verifier sends a random challenge to the prover. The prover reveals two 
of three commitments corresponding to the challenge. He constructed the knowledge 
extractor which computes a collision of a hash function in a string commitment scheme 
or a secret key corresponding to the target public key if a passive adversary responds 
correctly to any challenges after sending commitments. 

One of standard strategies to achieve concurrent security is to prove that a public key 
corresponds to multiple secret keys and that the protocol is witness indistinguishable 
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(WI) ® and proof-of-knowledge: The reduction algorithm generates sk and pk and runs 
the adversary on pk by simulating the prover with sk. Using the knowledge extractor of 
the protocol, the algorithm obtains another sk' corresponding to pk with probability at 
least 1 /2 since the protocol is WI. The algorithm then solves the underlying problem 
by using pk, sk, and sk! . 

In our reduction, when the algorithm is given A, it generates a secret key x and a 
public key y = Ax, and feeds A and y to the adversary. Note that the algorithm can 
simulate the prover with A and x that the adversary concurrently accesses. Using the 
knowledge extractor for the adversary in Stern’s proof, the algorithm obtains a collision 
of a string commitment scheme or a secret key x' such that x' ± x and Ax' = y, differ- 
ently from the general strategy. In the former case, the algorithm outputs the collision 
( s , s') of a hash function h\ in the string commitment scheme. Thus, the solution for 
SIS is obtained by z = s - s'. In the latter case, the condition rtf will be satisfied 
with probability at least 1 /2 by witness indistinguishability of Stern’s protocol. Thus, 
the algorithm has the solution z = x - x' for SIS. The 1 2 norm of both solutions is at 
most sjm - d{n' 12 ). From the relationship between SIS and GapSVP the assumption 
is the worst-case hardness of GapSVP^. 

AID schemes: Our construction for AID schemes also has the following structure: Each 
of l members in the ad hoc group has a vector x, (i = 1,. ..,[). Then, the common inputs 
of the scheme are a system parameter A and a set of public keys y 1 , . . . , yi of the mem- 
bers, which satisfy y, = Ax, (i = 1 ,...,!). We can show that, by Stem’s protocol, the 
prover can anonymously convince the verifier that the prover knows x, corresponding 
to one of yi, . . . ,yi, since he/she knows a new vector x' such that [Ayi . . . y/]x' = 0. 
(This idea is due to Wu, Chen, Wang, and Wang lE7l . who presented an AID scheme 
from certain combinatorial problem.) Additionally, we force the prover to prove that the 
positions of +1 and -1 in x' are proper by modifying Stern’s protocol. We succeed to 
give security proof for the scheme, while Wu et al. gave no formal proof on the security 
of their scheme. 

1.3 Comparison with Other Lattice-Based Schemes 

ID schemes: In GDI, Micciancio and Vadhan proposed a statistical zero-knowledge 
and proof-of-knowledge protocol for GapSVP. Combining it with lattice-based hash 
functions, we obtain an ID scheme which is secure against passive attack based on 
SIS, m o( n) , which can be reduced from GapSVP^ (nI5) . 

In the scheme, the prover and the verifier are given a matrix A as a common input, 
and the prover has a binary vector x as secret information. The task of the prover is to 
convince the verifier that he/she knows x satisfying the relations that Ax = 0 and x is 
relatively short. It seems difficult to directly simulate the prover since a simulator has 
to prepare a dummy short vector x' satisfying Ax' = 0, which is the task of SIS itself. 
Thus, we cannot straightforwardly prove the concurrent security for their ID scheme. 

By a simple modification, we can construct a concurrently secure ID scheme (MVq L 
for short) based on the worst-case hardness of lattice problems by Micciancio and Vad- 
han ’s ID scheme as noted in GDI Sec. 5] . In particular, applying techniques of De Santis, 
Di Crescenzo, Persiano, and Yung 10 and of Feige and Shamir 0, a modification of 
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Table 1. Comparisons among ID schemes and AID schemes. A secret key skis x € {0, l) m . The 
factor n denotes the security parameter. We denote the Hamming weight of x by w H (x). Assume 
that the protocols are repeated 1 times in parallel for reducing errors. In the table for AID schemes, 
l denotes the number of the members in the group. Note that the parameters in ideal-lattice-based 
versions are almost same as those in general-lattice-based versions. 


ID schemes (A 0 , Ai , A e 


Param. 

Public key 

Relation 

y in GapSVP 2 

Comm, cost 

Errors 

MV£ l [20] 

- 

Ao,A! 

A 0 x = 0 or Ai* = 0 

d(n 15 * ) 

t ■ Oin) 

1-sided 

Lql [14] 

(A) 

A,y 

Ax =y 

Oin 1 ) 

t ■ Oin) 

2-sided 

Sql 

A 

y 

Ax = y and w H (x ) = m/2 

CKn) 

t ■ Oin) 

1-sided 

AID schemes (A ;>0 , A u , A e Z" 

xm ) 

Base 

Param. 

Set of pks 

Relation 

yin GapSVP 2 

Comm, cost 

Errors 

MV£ l [20] 

- 

{A;, 0,A f , 

A, n x = 0 or Ajj x = 0 

Oin 1 - 5 ) 

tl ■ 0(n) 

1-sided 

Lql [14] 

A 

yu--.,yi 

Ax = y t 

Oin 2 ) 

tl ■ Oin) 

2-sided 

Sql 

A 

yu--,yi 

Ax = yi and w H (x) = m/2 

Oin) 

t-OH + n) 

1-sided 


the ID scheme can be proven to have concurrent securit}0 based on the same problem 
as that in the original scheme. 

Recently, Lyubashevsky proposed new concurrently secure ID schemes based on 
lattice problems iTPfl l: we call it Lql for short. In his protocol, the prover proves, given 
A and y, he/she has x e {0, 1}™ such that Ajc = y. Using an active adversary, his 
knowledge extractor obtains another vector x' such that Ajc' = y and the length of 
jc' is at most 0(m 15 ) = 0(n 15 ). Thus, in the Lql scheme, the underlying problem is 
SIS ? m <5 ( „i5), which can be reduced from GapSVP 2 ^. . 

As mentioned in the previous section, the assumption of Sq L is the worst-case hard- 
ness of GapSVP^ ,, which is weaker than those of MVq L and Lql- This improvement 
is obtained by the condition that the knowledge extractor outputs another secret key jc' 
whose length is at most y[m = 0{ yfn). Our schemes has 1-sided error (perfect com- 
pleteness and soundness error), while Lql has 2-sided error (completeness and sound- 
ness errors). As a summary, see TableQ] 

AID schemes: By taking OR of l statements 0 , we can straightforwardly obtain 
MVql - based and LoL-based AID schemes, whose security are based on the worst-case 
hardness of lattice problems. We feed only pk ] , . . . ,pk t as the common inputs to the 
prover and the verifier. In this case, the prover convinces the verifier that he/she has a 
secret key corresponding to one of public keys, /A,. 

However, each of these simple modifications requires a large overhead cost involving 
the size of the ad hoc group. Let l be the number of the members of the group and n the 
security parameter. The protocol is run in t times in parallel to reduce the errors. The 

2 Combining ORing technique by De Santis et al. ]fl and discarding technique by Feige and 

Shamir 0, we derive a construction technique for ID schemes secure against active attack. 

Moreover, we can construct concurrently secure ID schemes by the same technique as a folk- 

lore says. 


Concurrently Secure Identification Schemes 


377 


communication costs of the MVq L - based and Lql - based schemes are tl ■ 0(n). The size 
of a set of the public keys is Z • 0(n 2 ) and 0(n 2 ) + l ■ 0(n ) in the modified versions of 
MVq L and Lql, respectively. 

On AID schemes, the Lql -based and our schemes require many vectors proportional 
to the size of the group, while the MVq L -based scheme requires many matrices propor- 
tional to the size of the group (see Table HJ- Additionally, the communication cost of 
our schemes is t ■ 0(n + Z), while those in the MV^, - based and Lql -based schemes are 
tl ■ 0(n). This shows the advantage of our scheme on the efficiency. 

1.4 Organization 

The rest of this paper is organized as follows. In Section |3 we review basic notations 
and notions, and the cryptographic schemes we consider. In Sectional we review lattice- 
based hash functions and give a commitment scheme based on the lattice-based hash 
functions for our ID and AID schemes. In Section El we construct the ID scheme by 
combining the framework of Stern’s scheme with our string commitment scheme. We 
present the AID scheme in Sectional 

In this paper, due to lack of space, we only describe the schemes based on GapSVP 
since the construction on A(/)-SVP follows from a similar strategy to that on GapSVP. 
We discuss the constructions on A(/)-SVP in the full paper. 

2 Preliminaries 

Basic notions and notations: We denote by n the security parameter of cryptographic 
schemes throughout this paper, which corresponds to the rank of the underlying lattice 
problems. We say that a problem is hard in the worst case if there exists no probabilistic 
polynomial-time algorithm solves the problem in the worst case with non-negligible 
probability. We sometimes use 0(g(ri)) for any function g in n as 0(g(n)-polylog(g(n))). 
We assume that all random variables are independent and uniform. For a positive integer 
n, let [n] denote a set { 1 , 2 , ... , n}. 

For any p > 1, the t p norm of a vector x = f (xi, ■ ■ ■ , x„) e R”, denoted by Hxl^, is 
(2ie[«] x ! !) i/p . For ease of notation, we define ||x|| := ||x|| 2 . The f az norm is defined as 
Halloo = lim^cx, ||x|| p = max IF [„] |x,-|. Let wh(x) denote the Hamming weight of x, i.e., 
the number of non-zero elements in x. Let B (m,w) denote the set of binary vectors in 
{0, 1}'" whose Hamming weights are exactly equal to w, i.e., B (m, w) := (x e {0, l} m | 
wh(x) = w}. We denote the concatenation of two vectors or strings Vi and v 2 by v\ o v 2 . 

We omit the definitions of zero-knowledge arguments and witness-indistinguishable 
protocols. For formal definitions, see textbooks, e.g., by Goldreich ifTOS . 

Hash functions: We briefly review the definition of collision-resistant hash function 
families. Let 77„ = {h^ : M n — » D n \ k e K n ) be a family of hash functions, where 
M n , D„, and K n denote a space of messages, digests, and indices, respectively. Let 77 = 
{7 7„}„ 6 h. Roughly speaking, if 77 is collision resistant, any polynomial-time adversary 
cannot, on input a random index k, output a collision of the hash function indexed by k. 
For a formal definition, see, e.g., the textbook by Katz and Lindell OSec. 4.6.1], 
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String commitment schemes: We consider a string commitment scheme in the trusted 
setup model. The trusted setup model is often required to construct practically effi- 
cient cryptographic schemes such as non-interactive string commitment schemes. In 
this model, we assume that a trusted party T honestly sets up a system parameter for 
the sender and the receiver. 

First T distributes the index k of a commitment function to the sender and the re- 
ceiver. Both parties then share a common function Com* by a given k. The scheme runs 
in two phase, called committing and revealing phases. In the committing phase, the 
sender commits his/her decision, say a string .y, to a commitment string c = Com*(.y; p ) 
with a random string p and sends c to the receiver. In the revealing phase, the sender 
gives the receiver the decision s and the random string p. The receiver verifies the va- 
lidity of c by computing Com*(.v; p). 

We require two security notions of the string commitment schemes, statistically- 
hiding and computationally-binding properties. Intuitively, we say that the commitment 
scheme is statistically hiding, if any computationally unbounded adversarial receiver 
cannot distinguish two commitment strings generated from two distinct strings. Also, it 
is computationally binding, if any polynomial-time adversarial sender cannot change the 
committed string after sending the commitment. See, e.g., o for the formal definition. 

Canonical identification schemes: Let SI = (SetUp, KG, P, V) be an identification 
scheme, where SetUp is the setup algorithm which on input 1" outputs param, KG is 
the key-generation algorithm which on input param outputs (pk , sk), P is the prover 
algorithm taking input sk, V is the verifier algorithm taking inputs param and pk. We 
say SI is a canonical identification scheme if it is a public-coin 3-move protocol. 

We are interested in concurrent attack, which is stronger than active and passive 
attack. We employ the definition of concurrent security in m . In concurrent attack, the 
adversary will play the role of a cheating verifier prior to impersonation and can interact 
many different prover clones concurrently. Each clone has the same secret key, but has 
independent random coins and maintains its own state. We say SI is secure against 
impersonation under concurrent attack, if any polynomial-time adversary cannot, given 
a random public key of a legitimate prover, impersonate the legitimate prover. For the 
formal definition, see Q- 

Ad hoc anonymous identification schemes: An AID scheme allows a user to anony- 
mously prove his/her membership in a group if and only if the user is an actual member 
of the group, where the group is formed in an ad hoc fashion without help of the group 
manager. We then assume that every user registers his/her public key to the public key 
infrastructure. 

We define the algorithms in AID schemes. An AID scheme is four tuple HID = 
(SetUp, Reg, P, V), where SetUp is the setup algorithm which on input 1" outputs 
param, Reg is the key generation and registration algorithm which on input param 
outputs (pk , sk), P is the prover algorithm taking inputs param, a set of public keys 

R = (pk t pkf), and one of the secret keys ski such that pk ; e R, and V is the verifier 

algorithm taking inputs param and R. For more formal definition, see 171 . 

There are two goals for security of AID schemes: security against impersonation and 
anonymity. Dodis et al. formally defined security against impersonation under passive 
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attack. They mentioned the definition of security against impersonation under concur- 
rent attack. However, they did not give the formal definition (see 0 Sec. 3.2]). Thus, 
we define the security notion with respect to concurrent attack. In the setting of chosen- 
group attack, the adversary could force the prover to prove the membership in an ar- 
bitrary group if the prover is indeed a member of the group. Additionally, concurrent 
attack allows the cheating verifier to interact with the clones of any provers. Also, they 
allow the cheating prover to interact with the clones of provers, but prohibit it from 
interacting with the target provers. We say IHID is secure against impersonation under 
concurrent chosen-group attack, if any polynomial-time adversary cannot impersonate 
the legitimate prover in the above settings. 

The security notion, anonymity against full key exposure, captures the property that 
an adversary cannot distinguish two transcripts even if the adversary has the secret 
keys of all the members. We say 3WD is anonymous against full key exposure if any 
polynomial-time adversary cannot distinguish two provers with a common set of public 
keys even though the adversary generates all keys of the set. The formal definitions of 
two notions are in the full paper. 

3 Main Tools 

In this section, we review main tools, lattices, lattice problems, and lattice-based hash 
functions, and construct string commitment schemes. 

Lattices and lattice problems: We first review fundamental notions of lattices, well- 
known lattice problems, and a related problem. 

An n-dimensional lattice in R" 1 is the set L(b\ , . . . ,b„) = {2;e[„] a,b, | or,- G Z} of all 
integral combinations of n linearly independent vectors b\,...,b n G R m . The sequence 
of vectors b\, . . . ,b n is called a basis of the lattice L and denoted by B. For more details 
on lattices, see the textbook by Micciancio and Goldwasser IT3I . 

We give the definitions of well-known lattice problems, the Shortest Vector Problem 
(SVP P ) and its approximation version (SVP£): The problem SVP P is, given a basis B 
of a lattice L, finding the shortest non-zero vector v in L in the t p norm. The problem 
SVPy is, given a basis B of a lattice L, finding a non-zero vector v in L such that for any 
non-zero vector x in L, ||v|| p < y ||jt|| p . 

We next give the definition of the gap version of SVP£, which is the underlying 
problem of lattice-based hash functions. 

Definition 3.1 (GapSVP^ [UBS)- For a gap function y, an instance of GapSVP^ is a 
pair (B, d) where B is a basis of a lattice L and d is a rational number. In YES input 
there exists a vectorv G L\{0} such that ||v|| p < d. In NO input, for any vectorv G L\{0}, 
l|v|| p > yd. 

We also define the Small Integer Solution problem SIS (in the £ p norm), which is of- 
ten considered in the context of average-case/worst-case connections and a source of 
lattice-based hash functions as we see later. 

Definition 3.2 (SIS^ mj3 100). For a fixed integer q and a real [I, given a matrix A g 
Z" x "', the problem is finding a non-zero integer vector z G Z m such that Az = 0 (mod q) 
and\\z\\ p </3. 

The relation between SIS and GapSVP is reviewed in the next paragraph. 
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Lattice-based hash functions: We review the lattice-based hash functions. For a prime 
q = q(n) = n 0< 1 1 and an integer m = m(n ) > n \ogq(n), we define a family of hash 
functions, 

mq. m) = {/a : {0, l} m — > Z" | A e Z*° ”}, 

where fx(x) - Ax mod q. 

Originally, Ajtai m showed that the worst-case hardness of GapSVP^ for some poly- 
nomial y(n) is reduced to the average-case hardness of SIS^ m n for suitable qin) and 
min). It is known that 'H(q, m ) is indeed collision resistant for suitably chosen q and 
m by Goldreich, Goldwasser, and Halevi D3J. They observed that finding a collision 
(*, x' ) for /a e fiiq, m) implies finding a short non-zero vector z = x - x' such that 
1 1;?|| < sfm and Az = 0 (mod q), i.e., solving SIS 2 m Recently, Micciancio and 
Regev showed that Pf(q, m) is collision resistant under the assumption that GapSVP^ 
is hard in the worst case Di- 

Theorem 3.1 (il). For any polynomially bounded functions p = pin), m = m(n), q - 
q(n), with q>A \fmn 3/2 p andy = I4n sfnfi, there exists a probabilistic polynomial-time 
reduction from solving GapSVP^ in the worst case to solving SIS^ m fj on the average 
with non-negligible probability. 

There were another reductions from the gap version of the covering radius problem 
GapCRP y , the shortest independent vector problem SIVP r , and the guaranteed distance 
decoding problem GDD r by adjusting the parameters ITU . It is worth that we note the 
results following the above results: Peikert liTH showed the reductions from the same 
problems in any £ p norms for p >2. The recent paper [0 Sec. 9] by Gentry, Peikert, 
and Vaikuntanathan showed that the modulus q in SIS can be 0{n). 

A string commitment scheme: General constructions of statistically-hiding and 
computationally-binding string commitment schemes are known from a family of 
collision-resistant hash functions t4il2ll . Their constructions used universal hash func- 
tions for the statistically-hiding property. 

Here, we give a more direct and simpler construction from the lattice-based hash 
functions without the universal hash functions. The input of the commitment function 
is an m-bit vector x obtained by concatenating a random string p = (pi, . . . ,p m / f) and 
a message string s = (si, . . . , s m / f), i.e., x = p o s. We then define the commitment 
function on inputs .v and p as 

ComA(^;p) := Ajc mod q = A‘(p\, . . . ,p m /2, si, ■ ■ s m / 2) mod q. 

Lemma 3.1. For m > 1 On log q, if SIS ? m ^ is hard on the average, then ConiA is 
a statistically-hiding and computationally-binding string coimnitment scheme in the 
trusted set up model. In particular, for any polynomially bounded functions m = m(n), 
q = q(n), y = yin), with q > 4 mn 3 ^ 2 , y - \4n sjnm, and m > 10« log q, ConiA is 
a statistically-hiding and computationally-binding string commitment scheme in the 
trusted setup model i/ GapSVP" is hard in the worst case. 

Before the proof, we review a definition of statistical distances: Given two probability 
density functions <p\ and cf>2 on a finite set S, we define the statistical distance between 
them as Aifufc) := \ I<Ma) - fi{x)\. 
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Proof. The computationally-binding property immediately follows from the collision- 
resistant property. We now show the statistically-hiding property. 

Let A = [a\ ■ ■ ■ a,,,]. We then have CotriA(.v; p) = Ylil\ Pi a i + s i a i+m/ 2 - The 
following claim in II24II says that a random subset sum of a, is statistically close to the 
uniform distribution for almost all choices of a,-. 

Claim (RZJ\l). Let G be some finite Abelian group and let / be some integer. For any l 
elements g\, . . . , gi g G, consider A (2 ^ Ujgj, u), where u and a,- is chosen uniformly at 
random from G and {0, 1}, respectively. Then the expectation of this statistical distance 
over a uniform choice of gi, . . . , gi g G is at most yJ\G\ / 2 1 . In particular, the probability 
that this statistical distance is more than (|G| /2 l ) l/4 is at most (|G| /2 , ) l/4 . 

In our proof, we consider Z" as a finite Abelian group G. Since m > lOnlogg, 
(|G| /2 m/2 ) l/4 < q~ n . Thus, for all but an at most q~ n fraction of A = [a \ , . . . , a m ] G Z" Xm , 
we have that A(u, Y.ieim/ 2 ] Pi a i) < <f n , where mg is uniform random variable. As- 
sume that we have such A. So, we have A(u, ComA(0 m/2 ; p)) < q~ n . By the definition of 
ConiA, for any s g {0, 1 }'" /2 , we have /I (m, ComAf.v; p)) < q n . By the triangle inequality, 
we obtain 

2 l(Com A (si;pi), Com A (^ 2 ;p 2 )) < A(u, Com A (.S i ;p 2 )) +A(u, Com A (s 2 ; P 2 )) < 2 q~ n , 

for any message ,V| and s 2 . This shows that, for all but negligible fraction of choice of 
A, the distributions of two commitments are statistically close. '-ft 

Using the Merkle-Damgard technique, we obtain a string commitment scheme whose 
commitment function is ConiA : {0, 1}* x {0, 1 }'"' 2 — > Z" rather than ComA : {0, 1}'” /2 x 
{0, l} m/2 — > Z” as the following. 

Assume that m = 2 r. Let A = [B C], where B, C G 7T Xr . For X g Z nxl , we define 
/x : {0, 1 — > Z!' q as the hash function /x(s) = Xs mod q. Let l be \n log q] and let 

t : Z" — > {0, 1 } / be some one-to-one function that we can compute t and r 1 efficiently. 
Let pad : {0, 1}* — > {0, 1}* be a padding function for the Merkle-Damgard construction. 
Applying the Merkle-Damgard construction to /c, we obtain a new hash function he : 
{0, 1}* — » Z n q . The precise definition of he is as follows: 

Hash function h c - 

1 . On input s, obtain a padded message S <— pad( .v). 

2. Chop it into (So, ■ ■ ■ , Sf), where 5, g {0, 1 } r_/ . 

3. Let Ho = 0 (more generally, some fixed Hq can be used). 

4. For i = 1 to k + 1 do H t <- fc(t(Hi-\) ° Si- 1 ). 

5. Output H k+ \. 

Our new commitment scheme is defined as follows: for .y g {0, 1}* and p g {0, l} r , 
Com A (s;p) := h c (s) + / B (p) mod q. 

Lemma 3.2. If there exists a polynomial-time machine outputting a collision for ComA, 
then there exists a polynomial-time machine outputting a collision for f\. 
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Proof. Let us assume that we obtain a collision ( s,p ), ( s,p ) G {0, 1}* X {0, 1 } r for ConiA. 
By the assumption, we have 

hcis) + f B (p) = h c (s) + f B (p) (mod q ). 

If p = p, we have s ± s and hcis) = hcis). Using the reduction for the Merkle- 
Damgard construction (see e.g., ifTTl Thm. 4.14]), we obtain u ± u e {0, 1 } r such that 
fciu) = fc(u). Thus, we have a collision u o p, u ° p e {0, l] 2r for f\. 

Next, we assume that p ± p. Let S and S be padded messages of s and s, respectively. 
Assume that S and S are chopped into (So, ■ ■ ■ , S k ) and (So, , S k -), respectively. Let 
H k and H*? be inner hash values for .v and 5 in the algorithm, respectively. By the defi- 
nition of Hk and Hk', we obtain 


hcis) = fc(t(H k ) o S k ), 
hcis) = fc(t(H k ') o S k ,). 

Combining the above equations with the assumption, we obtain 
fxitiHk) oS k op) = f A (t(H k .) o S„ o p). 

So, we have a collision t(H k ) a S k a p and t(H k ,) o^opgjO, l} 2r for f A . □ 

We use this commitment scheme in the rest of the paper. We often abuse the notation 
of ConiA. For example, ConiA (vi, V2;p) denotes ComA(string(vi) o string(v2);p), where 
string) v) is a binary representation of v. 

4 An Identification Scheme 

Our variant Sq L is obtained by replacing the string commitment scheme in Stem’s ID 
scheme lESI with our lattice-based one. Stem’s protocol deals with the decoding prob- 
lem on binary codewords called the Syndrome Decoding ProblerrQ. He also proposed 
that an analogous scheme in Z q , where q is extremely small (typically 3, 5, or 7) 1251 
Sec. VI]. We adjust this parameter to connect his framework to our assumptions of the 
lattice problems. 

We now describe the protocol Sjt, L below. Obviously, it has perfect completeness, and 
at most 2/3 soundness error. By parallelizing each step of this protocol in t = co(\og n) 
times, the soundness error becomes negligibly small. To simplify the notations, we write 
Com instead of ConiA and we do not write random strings in Com explicitly. 

SetUp: The setup algorithm, on input 1", outputs a random matrix A e Z" Xm . 

KG: The key-generation algorithm, on input A, chooses a random vector x € 
B(m, m/2) and computes y := Ax mod q. It outputs (pk, sk) = (y, x). 

P, V: The common inputs are A and y. The prover’s auxiliary input is x. They interact 
as follows: 

3 The Syndrome Decoding Problem is defined as follows: Given A e y e Z", and w 6 N, 
the problem is finding a vector x e B(m, w) such that Ax = y mod 2. We can consider this 
problem as a restricted version of SIS ? mj3 . 
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Step PI: Choose a random permutation n over [m] and a random vector reZ" 
and send commitments c\, C 2 , and C 3 computed as 

- ci = Corner, Ar), 

- C 2 = Com( 7 r(r)), 

- C 3 = Cominix + r)). 

Step VI Send a random challenge Ch e {1, 2, 3} to P. 

Step P2 

- If Ch = 1, reveal C2 and C3. So, send s = nix) and t = ?r(r). 

- If Ch - 2, reveal ci and C3. Send <f> = n and u - x + r. 

- If Ch - 3, reveal c\ and C 2 . Send ip = n and v = r. 

Step V2 

- If Ch = 1, check that C 2 = Com(t), C 3 = Com(s + t), and s e B(m, m/2). 

- If Ch = 2, check that ci = Com( 0 , Am - y) and C 3 = Com(0(M)). 

- If Ch = 3, check that ci = Com(t), Av) and C 2 = Com(<^(v)). 

Output Dec = 1 if all checks are passed, otherwise output Dec = 0. 

4.1 Statistical Zero-Knowledge Property 

The proof of the zero-knowledge property of the original protocol is in J23 Thm. 4], 
Stern left completion of the proof as the problem for reader. Thus, we give the whole 
proof that Stern’s protocol is statistically zero knowledge when Com is a statistically- 
hiding and computationally-binding string commitment scheme. 

Theorem 4.1. The protocol is statistically zero knowledge when Com is a statistically- 
hiding and computationally-binding string commitment scheme. 

Proof. Following the definition, we construct a simulator S which on input A and y 
and given oracle access to a cheating verifier C'V, outputs a simulated transcript. A real 
transcript between P and C'V on input A and y is denoted by (P, CV)( A, y). 

First, S chooses a random value c from {1, 2, 3} which is a prediction what value the 
cheating verifier C'V will not choose. Next, it chooses a random tape of OV, denoted 
by r’ . We remark that, by the assumption on the commitment, the distributions of a 
challenge from C'V in the real interaction and in the simulation are statistically close. 

Case c = 1 : S computes x' e Z“ such that Ajc' = y by using linear algebra. Next, 
it chooses a random permutation ji' over [m], a random vector r' e Z™, and random 
strings p' v p' 2 , and p' y So, it computes 

- c\ := Com( 7 r', Ar'jp'j), 

- c' 2 := Cornin' (r’y, pf), 

- C 3 := Com( 7 r'(jr' + r'fp'f). 

It sends them to OV. Since the commitment scheme is statistically hiding, the distribu- 
tion of a challenge from C'V is statistically close to the real distribution. Receiving a 
challenge Ch from C'V, the simulator S computes a transcript as follows: 

- If Ch - 1, S outputs ± and halts. 

- If Ch = 2, it outputs (/•'; (c \ , c 2 , c' 3 ), 2, in', x' + r',p',p')). 

- If Ch - 3, it outputs (/•'; (c\ , c' 2 , c' 3 ), 3, in' , r',p\,p' 2 )). 
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We analyze the case Ch = 2. In this case, we obtain that 

(P, <TV)(A,y) = (r;(ci,c 2 ,c 3 ),2,(n,x + r,p u p 3 ), 

S(A,y) = (r’;(c’ v C2,c’ 3 ).2.(n’.x’ + r' ,p[,p' 3 )). 

Assume that (n\ r',p' v p 3 ) = in, r + x - Jc',pi ,p 3 ). By this equation, we have that 
c'j = c\,c' 3 = C3, and the responses from the simulator equal to the responses from the 
proven Since the commitment is statistically hiding, we have the distributions of C2 and 
c' 2 are statistically close. Thus, we conclude that the both distributions of the simulated 
transcript and the real transcript are statistically close. 

It is straightforward to show it in the case Ch = 3 by using the equation (n', r') = 
(n, r ). Thus, we omit this part from the proof. 

Case c = 2: S chooses a random permutation n' over [m], two random vectors r' e Z™, 
x' e B(m, m/2), and random strings p \ , p' 2 , and p' v S computes commitments 

- c\ := Com(n', Ar';p' ), 

- c' 0 := Cornin’ (r’y, p’ 2 ), 

- c' 3 := Com(7r'(x' + r');pj). 

It sends them to (TV. Receiving a challenge Ch, the simulator computes a transcript as 
follows: 

- If Ch = 1 , then S outputs (r'; (c\ , c’ v c’ 3 ), 1 , (n'(x'),n'(r'),p' 2 ,p 3 )). 

- If Ch - 2, then it outputs ± and halts. 

- If Ch = 3, then it outputs (r'; (c\ , c' 2 , c’ 3 ), 3, in’, r' ,p\,p' 2 )). 

We analyze the case Ch - 1. In this case, we have that 

<P,(7V>(A,jO - (r;(ci,c 2 ,c 3 ), \,{n{x),n(r),p 2 ,p 3 ), 

S{A,y) = ( r'-,(c\,c' 2 ,C 3 ), \,{n{x'),n{r'),p 2 ,p' 3 y). 

Let^f be a permutation over [m] such that^(x') = jc. In this case, we set in' , r’,p 2 ,p 3 ) = 
(nox- 1 ,x(r),p 2 ,p 3 ).By this equation, we have that nix) = n'{x'),nir) = n’(r’), c' 2 = C2, 
and c' 3 ~ c 3 , that is, the responses from the simulator equal to the responses from the 
proven Since the commitment scheme is statistically hiding, the distributions of the real 
transcript and the output of the simulator are statistically close. 

We omit the proof of the case Ch = 3, since it is trivial. 

Case c - 3: S chooses a random permutation n over [m], two random vectors re Z™, 
x' e B(m, m/2), and random strings p\, p 2 , and p 3 . S computes 

- ci := Com(7r, A(jc' + r) -y\pi), 

- c 2 := Cominiry, P 2 ), 

- c 3 := Com(7r(x' + r);p 3 ). 

It sends them to (TV. 

- If Ch = 1, then S outputs (r'; (ci, C2, C3), 1, (nix'), n(r),p 2 ,p^). 

- If Ch = 2, then it outputs (r'; (d, c 2 , c 3 ), 2, (n, x' + r')). 

- If Ch = 3, it outputs ± and halts. 



Concurrently Secure Identification Schemes 


385 


In the case Ch = 1, we consider the equation (n' , r',p' 2 ,p' 3 ) = (no x~ 1 ,x(r),p 2 ,p 3 ), 
where x denotes a permutation over [m] such that x( x ') = x - The remaining part of 
proof is the same as that in the case c = 2 and Ch = 1 . In the case Ch = 2, we let 
(n', r',p' v p' 3 ) = (n,r+ x- x',pi,p 3 ). The remaining part of proof is the same as that in 
the case c - 1 and Ch - 2. 

The probability that the simulator S outputs ± is at most 1/3 + e(ri) <1/2 where e is 
some negligible function. Additionally, by the above arguments, the distribution of the 
output of S conditioned on it is not ± is statistically close to the distribution of the real 
transcript. Therefore, we have constructed the simulator and completed the proof. □ 

Since the protocol is statistically zero knowledge for t = 1, it has a witness- 
indistinguishable property. Witness-indistinguishable property is closed under the par- 
allel composition ®. Thus, the above protocol is witness indistinguishable for t = 
w(log n) if a statistically-hiding string commitment scheme is used. 

4.2 Security of the Protocol 

We show the theorem of the security on our ID protocol, which concerns impersonation 
under concurrent attack. 

Theorem 4.2. For any m(n) = 0(n logn), there exist q(n) = 0(n 25 logn) andy(ri) = 
0(n ^J\ogn) such thatm > 10 n log q and q n / |B(m, m/2)| is negligible in n and the above 
ID scheme is secure against impersonation under concurrent attack i/GapSVP^ is hard 
in the worst case. 

Before the proof of security, we need to mention the following trivial lemma. 

Lemma 4.1. For any fixed A, let Y := {y e Z" | |{jc e B(m,m/2) | Ax = y}| = 1}, 
i.e., a set of vectors y such that the preimage x of y is uniquely determined for A. If 
q n / |B(m, m/2)\ is negligible in n, then the probability that, if we obtain (y, x) <— KG(A), 
then y c Y is negligible in n. 

We now prove Theorem 14.21 The part of the proof is similar to that in ESI- 

Proof ( Proof of Theorem 14.21) . Since there exists average-case/worst-case reduction 
from GapSVP^ to SIS ^ m (Theorem 13. Ill , we only construct FI solving SIS ^ m 
on the average from an impersonator I = (C r V, CP) which succeeds impersonation 
under concurrent attack with non-negligible probability e. 

For the clarity, we write the transcript of interaction by ( Cmt , Ch,Rsp,Dec). Since 
the protocol is parallelized, each Cmt, Ch, and Rsp is an ordered list which contains t 
elements. For example, Cmt = (Cmt\, . .., Cmt t ). 

Given A, FI chooses a random secret key x e B(m, m/2) and computes y = Ax. 
Using the secret key, it can simulate the prover oracle perfectly. FI runs CV on input 
(A,y) and obtains a state for CP. FI feeds the state to CP and acts as a legitimate 
verifier. Receiving commitments Cmt, Fi chooses three challenges Ch (i \ Ch (2> , and 
C7 i ( 3) from {1, 2, 3}' uniformly at random. Rewinding with three challenges, Fi obtains 
three transcripts (Cmt, Ch (l \Rsp^'\ Dec®) fori = 1, 2, 3 as the results of the interactions. 
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By the Heavy Row Lemma IfTH . the probability that all Dec (l> are 1 is at least ( e/2 ) 3 . 
Meanwhile, we have 

Pr [3 j g [t] : {Chf, Chf, Chf } = {1,2,3}] = 1 - (7/9)' 

by a simple calculation. Thus the probability that has three transcripts 
(Cmt, Ch U) , Rsp (,> , Dec®) for i = 1,2,3 such that Dec (,) - 1 for all i, and 

{Chf , Chf , Chf } = {1,2,3} for some j G [f] is at least (e/2) 3 - (7/9)', which is 
non-negligible since e is non-negligible and t = w(log n). 

We next show how J?1 obtains a secret key or finds a collision of the hash functions in 
the string commitment scheme by using three good transcripts. Assume that J?1 has three 
transcripts (Cmf®, C/t®, Rsp {l \ Dec®) for f = 1,2,3 such that Cmt {V) = Cmt (2) - CmP\ 
Dec® - 1 for all i, and {Chf, Chf, Chf } = {1,2, 3} for some j g ft]. Without loss of 
generality, we assume that Ch® - i. We parse Rsp® as in Step V2. We have following 
equations (We omit j for simplification): 

ci = ConiA(0, Am -y,pf) = ComA^, Av;p ( j 3) ), 

C2 = Com A (f;p2 ) ) = ComA(^(v);p? ), 

C3 = Com A (s + t;pf) = Com A (0(M);p3 ), 

s G B(m, m/2). 

If there exists a distinct pair of arguments of ConiA, obtains a collision for A and 
solves SIS 9 m 

Next, we suppose that there exist no distinct pairs of the arguments of ComA. Let 
n denote the inverse permutation of <p. From the first equation, we have n~ x = cf> = ft. 
Thus, we obtain u = n(s + t) from the third equation. Combining it with the first 
equation, we have Av = A(7 r(s) + n(t j) - y. Since v = ft~ l (t) = n(t) from the second 
equation, we obtain y = A • 7r(s). Since s g B(m, m/2), so n(s) also is in B(m, m/2). 
Therefore, sets x' := n(s). 

We now have to show that x' ± x with probability at least 1 /2. By Lemma 14.11 
there must be another secret key x' corresponding to y with overwhelming probability. 
Recall that the protocol is statistically witness indistinguishable. Hence, T s view is 
independent of jTTs choice of x with overwhelming probability. Thus we have x’ ± x 
with probability at least 1 / 2. In this case 3\ outputs z = x-x' and solves SIS ? m □ 

We note that the above proof is extended into multi-user settings as in the proof of 
Lyubashevsky fRI . 

5 An Ad Hoc Anonymous Identification Scheme 

We next construct our AID scheme based on GapSVP. First, we sketch a basic idea for 
our construction: Let A be a system parameter. Each user has a secret key g B(m, vv) 
and a public key y ; = Ajc, . In the AID scheme, a group is specified by a set of public keys 
(y 1 , . . . , yi) of the members. Let eg denote an /-dimensional vector '(0, . . . , 0, 1 , 0, . . . , 0) 
whose i-th element is 1. The prover in the group, who has a secret key x,, wants con- 
vinces the verifier that he/she knows that x' := x, o -e (i/ such that [Ay 1 . . . y/]x' = 0 
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and Xi G B (m, m/2). Changing the parameters and using Stern’s protocol, the prover 
can convinces the verifier that he/she has x' such that [Ay i . . . y{] x’ = 0, the numbers 
of +1 in x’ is m/2, and the numbers of -1 in jc' is 1. Additionally, we force the prover 
to prove that jc' is in the form jc' = jc, o —eg. To do so, we divide a permutation n in 
Step PI into two permutations. 

Let 7i h be a permutation over [ m ] and n, be a permutation over [/]. For a permutation 
n over [m + /], we denote n = 717, 0 n t if 


71 = 


( 1 2 

^a(I) x/,(2) 


m \ I m + 1 m + 2 
ithQri)) \m + n t {\) m + n,(2) 


m + l \ 

m + 7T,(l )) ' 


For any 7ih and n t , we have (71 h O n t ) 1 = 7t h l O n t 1 . For any jc ,, G Z m and jc, g Z ; , if 
n = n h Qn, then n(x h o jc,) = ;?/,(*;,) o 7r,(x r ). 

We here construct an AID scheme based on GapSVP. Similarly to the ID scheme in 
Section® the protocol is repeated t = w(log n ) times in parallel to achieve exponentially 
small soundness error. As in the previous section, we hide randomness in ComA. 


SetUp: Same as SetUp of the protocol in Section® 

Reg: Same as KG of the protocol in Section® 

P, V: The common inputs are A and (yi, . . . ,y,). The prover’s auxiliary input is jc, for 
some i e [/]. Let A' := [Ay 1 . . . y,] and jc := jc, o -e,j. We write Com instead of 
ComA for ease of notation. They interact as follows: 

Step PI: Choose random permutations 7T/, over [m] and n t over [/]. Let n = nhOn,. 
Choose a random vector r e Z"' +/ . Send commitments c\, C 2 , and C3 as 

- ci = Com0r/,,7r,, A'r), 

- c 2 = ComOr(r)), 

- C3 = Com(>r(jc + r)). 

Step VI Send a random challenge Che { 1, 2, 3} to P. 

Step P2 

- If Ch = 1, reveal c 2 and C3. Send s = n{x) and t = n(r). 

- lfCh = 2, reveal ci and c 2 . Send cf>h = ^h, <pt = 7T t , and u = x + r. 

- If Ch = 3, reveal ci and C3. Send iph = 7th, 'A; - and v = r. 

Step V2 

- If Ch = 1, check that c 2 = Com(t), C3 - Com(s + t), and s is in the form 
s h ° -eg for some j and Sh G B(m, m/2). 

- If Ch - 2, check that ci = Com((f) h , (p t , A'u) and C3 = Com((0/, O </>,)(«)). 

- If Ch = 3, check that ci = Com(iA/,, i/j t . A') and c 2 = Com((tjj h © i// t )(v)). 
Output Dec = 1 if all checks are passed, otherwise output Dec = 0. 


The security of the above protocol is stated as follows. We omit the proof, since it is 
similar to the proof of Theorem l4.2l 

Theorem 5.1. Let m = m(n) and q = q(n) be polynomially bounded functions satisfy- 
ing the conditions that m > 1 On log q and q" / |B(m, m/2)\ is negligible in n. Assume 
that there exists an impersonator I that succeeds impersonation under concurrent 
chosen-group attack with non-negligible probability. Then there exists a probabilistic 
polynomial-time algorithm SH that solves SIS^ m 

Combining Theorem EH1 with Theorem l3.ll we obtain the following theorem. 
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Theorem 5.2. For any m(ri) = 0(n logn), there exist q(ri) = 0(n 2 5 log n) andy(n) = 
0(n i/log n) such that q n / |B(m, m/2)| is negligible in n and the above scheme is secure 
against impersonation under concurrent chosen-group attack t/GapSVP^ is hard in the 
worst case. 

The statistical anonymity of the above scheme follows from witness indistinguishability 
of the protocol. 
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Abstract. The Kannan-Fincke-Pohst enumeration algorithm for the 
shortest and closest lattice vector problems is the keystone of all strong 
lattice reduction algorithms and their implementations. In the context of 
the fast developing lattice-based cryptography, the practical security es- 
timates derive from floating-point implementations of these algorithms. 
However, these implementations behave very unexpectedly and make 
these security estimates debatable. Among others, numerical stability 
issues seem to occur and raise doubts on what is actually computed. 
We give here the first results on the numerical behavior of the floating- 
point enumeration algorithm. They provide a theoretical and practical 
framework for the use of floating-point numbers within strong reduction 
algorithms, which could lead to more sensible hardness estimates. 

Keywords: Lattices, SVP, lattice cryptanalysis, numerical stability. 


1 Introduction 

A lattice L is a discrete subgroup of some M n . It can always represented by 
a basis, i.e., some d < n linearly independent vectors b\,...,bd € K" such 
that L = ^jljbi. A given lattice has infinitely many bases as soon as d > 2. 
One is most often interested in bases made of rather short /orthogonal vectors, 
which are generically called reduced. They provide a more tractable description 
of the lattice. Since a lattice is discrete, it contains a vector of smallest non-zero 
Euclidean length: this length A is called the lattice minimum. The most famous 
problem related to lattices is the Shortest Vector Problem (SVP), which aims 
at finding a lattice vector of length A from an arbitrary basis. SVP is known to 
be NP-hard under randomized reductions [2J. Another popular lattice problem 
is the Closest Vector Problem (CVP): given a lattice basis and a target vector 
in R", find a lattice vector that is closest to the target. This non- homogeneous 
version of SVP is NP-hard [Z| . Since these problems are costly to solve for large 
dimensions, one is often satisfied with weaker variants. E.g., in 7-SVP one asks 
for a non-zero lattice vector no longer than 7 • A. 

* This work is part of the Australian Research Council Discovery Project on Lattices 
and their Theta Series. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 390 f405j 2008. 
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Lattice reduction algorithms range between two extremes. On one side, the 
LLL algorithm m provides a basis with relatively poor properties, in polynomial 
time. On the opposite, the Hermite-Korkine-Zolotarev (HKZ) reduction provides 
an excellent basis but requires a huge computational effort. Schnorr [3 1 1 was the 
first to devise hierarchies of algorithms ranging from LLL to HKZ, depending 
on a parameter k. Schnorr’s algorithms make use, in a LLL fashion, of HKZ 
reductions in projections of sublattices of dimension O(k). When k increases, 
the cost increases as well, but the quality of the bases improves. The recent 
hierarchies [9I1U| achieve better trade-offs but follow the same general strategy. 
In practice, the Schnorr-Euchner BKZ algorithm £22| seems to be the best, at 
least for small values of k. The HKZ reduction uses the Kannan-Fincke-Pohst 
(KFP) enumeration of short lattice vectors [1 !)I8| . KFP may be replaced by the 
probabilistic algorithm of |I], but the latter seems slower in practice ESI- 

Lattices appeared for the first time in cryptology at the beginning of the 80 ’s, 
when the renowned LLL algorithm EDI was used to break knapsack cryptosys- 
tems [22J . For many years lattices were mostly used as a cryptanalytic tool jl<Sj . 
The landscape changed dramatically in the mid-90’s with the invention of sev- 
eral lattice-based encryption schemes, among which Ajtai-Dwork 0, NTRU m 
and GGH [1 3J . Their securities provably/heuristically rely on the hardness of 
relaxed variants of SVP and CVP. For example, in the GGH/NTRU frame- 
work, the hardness of recovering the secret key from the public key is related to 
SVP and the hardness of maliciously deciphering a message is related to CVP. 
A recent but very active and promising trend consists in building other cryp- 
tographic schemes whose securities provably reduce to the assumed worst-case 
hardness of Poly(d)-SVP for special lattices (called ideal). This includes hash- 
ing [23j . signatures [221 and public-key identification [21 . Gentry, Peikert and 
Vaikuntanathan m introduced other elaborate schemes, including a signature 
and an identity-based cryptosystem. We refer to m for more details. Besides 
cryptology, lattice reduction and in particular KFP is used in many areas, includ- 
ing number theory jH| and communications theory [2511 5| . in which the present 
results may prove useful as well. 

Despite the high-speed development of lattice-based cryptography, its prac- 
tical security remains to be assessed (see Cl for a first step in that direction). 
Contrary to factorization and discrete logarithm in finite fields and in elliptic 
curves, the practical limits for solving SVP and CVP and their relaxed variants 
are essentially unknown, implying that the practicality of the schemes above is 
debatable. It could be that the suggested key sizes are below what they should, 
as what happened to be the case with GGH j2Hj. They may also be too large and 
then unnecessarily sacrifice efficiency. No significant computational project has 
ever been undertaken. The main reason is that the algorithmic facet of lattice re- 
duction remains mysterious. In particular, the theoretically best algorithms [flfTflj 
seem to remain slower than heuristic ones such as whose practical behav- 
iors are themselves suspicious. Let us discuss NTL’s BKZ routine which 
implements P2| and is the only publicly available such implementation: when 
the so-called block-size k is around 30, the number of internal calls to SVP in 
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dimension k seems to explode suddenly (although the corresponding quantity 
decreases with k in the theoretical algorithms); when k increases, BKZ seems to 
require more precision for the underlying floating-point computations, although 
the considered bases should become more orthogonal, which implies a better 
conditioning with respect to numerical computations. The latter raises doubts 
on what is actually computed and thus on the practical security estimates of 
lattice-based cryptography. 

Classically, to obtain correctness guarantees, the lattices under study should 
be in Q n and the KFP enumeration should rely on a rational arithmetic. How- 
ever, the rationals may have huge bit-sizes (though polynomial in the bit-size of 
the input basis). The bit-size of the rationals is a polynomial factor of the overall 
enumeration cost (between linear and quadratic, depending on the integer arith- 
metic). Keeping a rational arithmetic would decrease the efficiency of KFP signif- 
icantly. In practice, e.g., in NTL, these rational numbers are always replaced by 
small precision floating-point numbers. Finding a small lattice vector corresponds 
to disclosing an integer linear combination of vectors whose coordinates are small, 
i.e., for which any coordinate is a cancellation of integer multiples of initial coor- 
dinates. However, floating-point computations are notoriously inadequate when 
cancellations occur since it often implies huge losses of precision (and thus a pos- 
sibly dramatic growth of relative errors). Moreover, the precision is rather low 
(usually 53 bits), though the number of operations performed may be exponen- 
tial with the dimension. If the operations reuse the variables sequentially, then 
one may run out of precision simply because of the accumulation of the errors. 
Finally, there is no efficient way to check the optimality of a solution but to re-run 
the whole algorithm in rational arithmetic: by comparing the length of the output 
vector with the lattice determinant, one can check that it looks reasonable, but it 
could be that (much) better solutions have been missed. 

In the present paper, we give the first analysis of the influence of floating-point 
arithmetic within the KFP enumeration algorithm. More precisely, we show that 
if it is called on an LLL-reduced basis of a lattice made of integer vectors and 
uses floating-point arithmetic with a precision that is fi(d) (the constant being 
explicit), then it finds the desired solution, i.e., a vector reaching the lattice min- 
imum A. Moreover, if the lattice is known only approximately (which may be the 
case for the projected sublattices in BKZ-style algorithms), then it finds a close 
to optimal solution. Finally, we also prove that the floating-point enumeration in- 
volves essentially the same number of arithmetic operations as the rational one. 
The results hold in a broad context: the technique can be adapted to fixed-point 
arithmetic, a weak condition is required for the input basis (if the input basis is 
not LLL-reduced, then the cost of the enumeration would grow dramatically) , and 
the input may not be known exactly. Furthermore, the worst-case precision may 
be provably and adaptively decreased to a usually much smaller sufficient preci- 
sion that can be computed efficiently from a given input basis. Double precision 
seems to suffice for KFP for all computationally tractable dimensions. 

For the result to be valid, KFP has to be slightly modified (essentially, the 
initial upper bound has to be enlarged). The proof relies on a subtle analysis 
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of the floating-point variant with respect to the rational enumeration: because 
of internal tests whose outcomes may differ due to inaccuracies, the execution 
of the floating-point variant may not mimic at all the ideal one. After working 
around that difficulty, the proof reduces to standard error analysis. To obtain a 
low sufficient precision, we heavily use the LLL-reducedness of the input basis. 

Our result complements the Nguyen-Stehle floating-point LLL m By com- 
bining these two results, the use of floating-point arithmetic in all practical 
lattice algorithms may be made rigorous. Providing tight conditions leading to 
guarantees for the enumeration algorithm is likely to lead to significantly faster 
algorithms. Since the possible troubles coming from the use of floating-point 
arithmetic are better understood, one may work around them in the cheapest 
valid way rather than using unnecessarily large precisions. Like LLL j!H| . one 
may hope to design combinations of reduction algorithms whose arithmetic han- 
dling is oblivious to the user, that are guaranteed and as fast as possible. A 
good understanding of the underlying numerical stability issues provides a firm 
ground to study other questions. Furthermore, the knowledge of a small suf- 
ficient precision for the enumeration algorithm is an invaluable ingredient for 
hardware-based enumeration: in software, one should not use a precision cruder 
than the processor double precision; in hardware, however, the smaller the preci- 
sion the faster. Overall, the floating-point analysis of the enumeration algorithm 
is a step towards intense cryptanalytic computations. 

Road-map. In Section El we give the necessary background on lattices and 
floating-point arithmetic. In Section El we precisely describe the algorithm under 
scope and describe our results. We give elements of the proofs in Section 01 the 
more technical details being postponed to the appendix of the full version. In 
Section 0 we discuss the practicality of our results. 

Notations. If x g R, we denote by [x] its closest integer (if there are two 
possibilities, the even one is chosen). A variable x is supposed to approximate 
the corresponding x, and we define Ax = \x — x\. 

Remarks. For simplicity, we will only consider SVP. The results can be extended 
to CVP. Many variables occur in the text. This is due to the combined technicali- 
ties of floating-point arithmetic and LLL. This also comes from the will to provide 
explicit bounds, which is necessary to actually derive rigorous implementations. 
Here is a heuristic glossary for a first reading: the LLL-parameters 6, rj, a , p are 
essentially 1, 1/2, -\/4/3, \/3; the variables C\ , Ca , . . . are 0(1); the variables e 
and e' quantify inaccuracies and are negligible, whereas K is close to 1. 

2 Reminders on Lattices and Floating-Point Arithmetic 

We give some quick reminders on floating-point arithmetic and lattices. For more 
details, we respectively refer to f I fij and (flj . 

Floating-point arithmetic. A precision t floating-point number is a 
triple ( s , e, m) g {0, 1} x Zx (Z fl [2 t_1 , 2 t — 1]). It represents the real (— l) s -m- 
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2 e ~ t+1 . The unit in the last place is e = 2 _t+1 . If a G R, we denote by o(a) the 
floating-point number that is closest to a (the one with an even m if there are two 
solutions). We have \ a— d(a)| < e/2 • |a| . If a and b are two floating-point numbers, 
we define a® b, aQb and a® b by o(a+b),o(a—b) and o(a-b'). The double precision 
t = 53 is a common choice as ®, Q and ® are implemented at the processor level 
in most computers. In practice, and for the KFP enumeration in particular, one 
should use double precision as much as possible. However, asymptotically with 
respect to the growing lattice dimension d, we will need t = J?(d). 

Gram-Schmidt orthogonalization. Let h, . . . . , b d be linearly indepen- 
dent vectors. We define their Gram-Schmidt orthogonalization by b* = bi — 
with pij = for i > j. We define r* = ||b*|| 2 . The Piffis 

and Vi s. are the Gram-Schmidt coefficients. The b*’s are pairwise orthogonal. 
If the bfs are integral, then the pip's are rational and can be computed in 
polynomial time with the formula above. 

LLL-reduction. Let rj G [1/2,1) and S G {rj 2 , 1). Consider a lattice ba- 
sis bi , . . . , bd and its corresponding 6 *’s and pip's. The basis is said to be (S, rj)- 
LLL-reducedii for all i > j we have \pip\ < r) and <5||f>*_i [| 2 < || 6 * + /rj > i_i 6 *_ 1 |[ 2 . 
This directly implies that the lengths of the b*'s cannot decrease too fast: 
if a := (6 — 77 2 ) -1 / 2 then a 2 Vi > 1 . In this paper, we will further assume 

that S > r/ 2 + (l + rf)~ 2 . This assumption is reasonable, since before starting an 
enumeration one should always LLL-reduce the lattice with 6 close to 1 and ri 
close to 1/2. Our analysis can be adapted to the general case, but this com- 
plicates the exposure for a useless situation. Lenstra, Lenstra and Lovasz m 
gave an algorithm that computes an LLL-reduced basis from an arbitrary in- 
tegral basis in time 0(d 5 n log 3 B) where B is the maximum of the lengths 
of the input vectors. Using (low precision) floating-point arithmetic for the 
Gram-Schmidt computations, Nguyen and Stehle m decreased that complex- 
ity to 0{d i n{d + log B) log B). Their algorithm requires r] > 1/2. They rely on 
floating-point approximation to the Gram-Schmidt orthogonalization, which is 
much cheaper to obtain than computing the exact one. As an intermediate re- 
sult, they show that if the input basis is LLL-reduced and if the computations 
are based on the exact Gram matrix (the matrix of the pairwise scalar products 
of the basis vectors), then this approximation is accurate even with low precision 
(linear with respect to the dimension). 

Theorem 1 ( J27) ) . Let 61 , . . . , bd G Z" be a (6, if) -LLL-reduced basis, with r) £ 
[1/2, 1) and S G (rj 2 , 1). Let u G (0,1/16) and p = (1 + rj + u)(6 — T 7 2 ) -1 / 2 . Let t 
be such that Cip 2d e < u where e = 2~ t+1 and Ci = 32 d 2 . Starting from the 
Gram matrix of the bi ’s and using precision t floating-point arithmetic, one can 
compute some fi ’s and ’s such that: 

Vi > j, | | < C\p 2 ^e and Vi, |fj — rj| < C\p 2l e ■ r<. 


Rigorous and Efficient Short Lattice Vectors Enumeration 


395 


3 Floating-Point Lattice Enumeration 

The usual method to solve SVP and CVP relies on the KFP enumeration f 1 !JI8i . 
We refer to [1] for a comprehensive survey. Here we will consider the variant due 
to Schnorr and Euchner since it is the fastest and the one used in NTL. 
After describing the algorithm, we explain how to use floating-point arithmetic 
and finally give our main results. 

3.1 The Enumeration Algorithm 

The KFP algorithm for SVP takes as input a lattice basis and returns a short- 
est non-zero lattice vector. For this, it considers some A and finds all solu- 
tions (si, . . . , Xd) G to the equation 

< A. (1) 

If A > || hi || 2 , then the set of solutions is non-trivial and SVP is solved by keeping 
the best one. Equation m is equivalent to 

^ n - A • (2) 

We let Ci = — JA=j+i and perform the change of variable yi := x,i — c,;. 

This corresponds to applying to x the triangular matrix whose diagonal co- 
efficients are 1 and whose off-diagonal coefficients are the m,j’s. Any se- 
quence (y t . , yd) corresponds to a unique sequence (a x,i). Equation (J2J) 
becomes JV =1 yf r i — A, which implies that: 

Vd r d < A, 

Vd-iU-t < A-ylr d , 
yin < A -Y^ yh- 

3=2 

KFP finds all yd's satisfying the first equation, then all (j/d-i , J/d)’s satisfying 
the second equation, etc. until it discloses all (yi, • • ■ ,2/d)’s satisfying the last 
equation. Let i < d. Suppose that yt+i, ■ . ■ ,yd are already set. Then there is a 
finite number of possibilities for yi since y 7 ; belongs to a bounded interval and is 
the fixed shift (by c,; ) of the integer variable x r . The number of possibilities for yi 
is < 1 + 2 i/Ajri. This shows that the bigger the fys, the faster the enumeration. 
We will see that big r*’s also help decreasing the required floating-point precision 
needed for the computations. Overall, KFP consists in trying to build solution 
vectors Y!i=i to Equation Q by successively looking at the projections 
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orthogonally to the spans of (61, . . . , b,) for a decreasing i. For a given choice 
of (£j + i, . . . , Xd), the variable x t belongs to an interval centered in c,; . Its length 

is \J rl +1 ’ where 4+i := T,j >i yj r j- 

Schnorr and Euchner improved KFP as follows. Suppose (£j + i, . . . , xy) is set. 
Instead of looking at the possible Xi’s in a straight increasing fashion, they are 
chosen from the center of the interval to its borders: the first value is [_£*] , 
then the integer that is second closest to Cj, etc. This has the effect of sorting 
the £i s by increasing order, and thus of maximizing the likelihood of quickly 
finding a solution to Equation ©. Once a solution is found, the value of A 
may be decreased, which possibly cuts off many branches of the execution tree. 
In Figure Q we give a detailed description of the enumeration algorithm using 
the Schnorr-Euchner zig-zag path. The vector sol stores the non-zero vector x 
that is currently thought as minimizing || :r,;b,|| . It remains 0 as long as no 

length below \[A has been found. The Ax^s and A 2 Xi s are used to implement 
the zig-zag path. 


Input: A bound A. Approximations an d TVs to the Gram-Schmidt 
coefficients of a possibly unknown basis bi, ... ,bd- 
Output: A coordinate vector x £ Z d \ {0} such that X)»=i Xi ^’- * s 
likely to reach the lattice minimum. 

1. x :» (1, 0, . . . , 0); Ax := (1,0,..., 0); A 2 x := (1, -1, . . . , -1); sol := 0. 

2. c,£, y := 0. 

3. i := 1. Repeat 

4. y t := | Xi - a\ ;ti := £ i+ i + yfn. 

5. If li < A and i = 1, then (sol, A) := update(soZ, A, x,£i). 

6. If £i< A and i > 1, then i := i — 1 and 

7. Ci := — X^j=i+ 1 

8. Xi := [ci] ; Axi \= 0; if Ci < Xi then A 2 Xi := 1 else A 2 Xi := —1. 

9. Else if £i > A and i = d return sol and stop. 

10. Else * := * + 1 and 

11 . A 2 Xi := — A 2 Xi\ Axi := — Axi + A 2 x£, Xi := + Axi. 


Fig. 1. The Schnorr-Euchner variant of the KFP enumeration algorithm 

The algorithm of Figure Cl calls an update routine. In the ideal case, i.e., with 
correct input Gram-Schmidt coefficients and exact computations, we simply take 
update 1 (soZ, A,x,£\) = (x, G ). If we use floating-point arithmetic, however, 
this strategy may lead us to cut off branches of the tree that could contain the 
minimal non-zero length: if the computed approximation to l\ under-estimates 
it and if the lattice minimum is between both values and has not been reached 
yet, it will be missed. One can avoid this pitfall when floating-point arithmetic is 
used but the lattice is perfectly known, i.e., the genuine bi s or the correct Gram- 
Schmidt quantities are given. In that situation, it is useful to consider update 2 
defined as follows: update 2 (soZ, A, x, £{) = (x, A) when sol = 0 or || JT Xibi || < 
|| J2i s °hbi\\ (exactly), and update 2 (sol, A, x, £i) = (sol, A) otherwise. 
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When using floating-point arithmetic, it is crucial to specify the order in 
which the operations are performed. At Step 4, we will evaluate the term y 2 ri 
as: fy 0 (t/i 0 £/*). At Step 7, we will evaluate Y^,j=i + i as (&*+ 1 ® P-i+i ,*) © 

[(**+2 0M»-i-2,i)©[- • • ® {xd 0 fid,i) •••]]• Finally, notice that the afys, Axi’s, A 2 Xi s 
and soli's remain integers. 

An iteration of the loop is uniquely determined by the values of i and 
(xi, . . . . x,i) at the beginning of the iteration. We say that the state is a = 
(i, \xi, . . . , Xd}'). Let i < d and x% , ... ,x,j f Z. The floating-point algorithm and 
the exact algorithm do not necessarily perform the same iterations, and even 
if they do they may not be performed in the same order. It is thus impossi- 
ble to compare the values of the variables for a given loop iteration. However, 
one may compare the values of the variables for a given state of the loop. In 
both the exact and floating-point variants, the values of the c»’s, y,}s and fy’s 
do not depend on the iteration, but only on the state. Furthermore, these val- 
ues are well-defined even if they are not actually computed: they do not de- 
pend on the initial bound A, nor on the existence of an iteration with the right 
state, nor in the order in which the states are visited. Consider a variable of 
the algorithm. We use the notation v to represent its value at a given state 
with exact computations and v its value at the same state with floating-point 
computations. 

3.2 Main Results 

We consider a lattice basis &i, . . . , that is (S, rj)~ LLL-reduced with rj 6 [1/2, 1) 
and rf + ^+^2 < 6 <1. We let a = 2 and p = (1 + rj)a. The minimum of 


the lattice spanned by the fy’s is denoted by A. Below, when using KFP, the basis 
may not be known. In that case, its Gram-Schmidt coefficients or approximations 
thereof are known. The former situation may arise if one knows only the Gram 
matrix of the basis. The latter is typical of BKZ-style algorithms: one tries to 
reduce a large-dimensional lattice basis &i , . . . , &<j by enumerating short vectors 
of lattices spanned by the projections of the vectors fy+i, . . . , b l+ k orthogonally 
to 61, . . . , bi, for some i and fc; usually, one only knows approximations to the 
Gram-Schmidt coefficients of the projected fc-dimensional basis. 

Suppose we use floating-point arithmetic in the enumeration procedure, as 
described above. We denote by e the unit in the last place and we define K = 
1 + e/2 1. We allow the input Gram-Schmidt coefficients to be incorrect. For 

this purpose, we define: 



k = max max 

v Of e 


If the Gram-Schmidt coefficients are exactly known and then rounded, we 
have k < 1. They can also be computed as mentioned in Theorem [Q in which 
case we have k < Cip 2d (l + u r ) 2d for some small v! > 0. 
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To simplify the theorems below, we introduce some notation. We define R = 
(1 + Ke) ■ max,; r, : it bounds all the r,’s as well as the r,; + Arfls. We also define: 


2ct(2 + k + 2 C 2 ) 
1 + r) - a 



R 




The following theorem shows that when some exact knowledge of the lattice is 
provided then the floating-point enumeration solves SVP, if the precision is f 2 (d) 
and the initial length upper bound is slightly increased in order to take care of 
the inaccuracies. In particular, in the most usual case where the rfs decrease, 
one can choose A = n ■ (1 + (2d+ C'sp d )e) , which is only slightly larger than r\. If 
the s do not decrease, they can still be assumed of the same order of magnitude 
(up to a factor 2°^), thanks to the LLL-reducedness of the input basis, and 
the a priori knowledge that larger rfls will not be used in vectors reaching the 
minimum. 

Theorem 2. Consider the floating-point KFP algorithm described in Subsec- 
tion l,y. 1\ Suppose that either the bi ’s are known or that the Gram-Schmidt 
quantities are correct, and that the update 2 function is used. We assume 
that C 2 p d ■ e < 0.01 and A > (1 + 2 de) ■ A 2 + Cap d e ■ R. Then the returned 
coordinates sol satisfy || .so/,fy|| = A. 

In the theorem above, we do not cut off branches of the computation once a short 
vector has been found: we keep the initial bound A. It is possible to decrease A 
each time a significantly shorter vector is found. Suppose a vector of exact squared 
norm A' < A has been found. Then we can set A = min(A, A'(l + e”)), for a 
well chosen e” that can be made explicit. This takes care of possible slight over- 
estimates of internal fy’s which could erroneously lead to the removal of useful loop 
iterations. For the sake of simplicity, we do not consider this variant here. 

Within BKZ-style algorithms, one may only know approximations to the 
Gram-Schmidt coefficients of the input basis, making Theorem |2| useless in such 
situations. Furthermore, due to the input uncertainty, one may not be able to 
decide which is the shortest between two vectors of close-by lengths: one cannot 
do better than finding a vector which is not much longer than A. Of course, if 
there is a sufficient gap between A and the length of any lattice vector different 
that does not reach the minimum, then an optimal solution will be found. The 
theorem below shows that finding a close to optimal vector is actually possible. 

Theorem 3. Consider the floating-point KFP algorithm described in Subsec- 
tion E3 with the update-L function. Let 7 = || JT solibi\\ be the norm of the 
found solution. If A > f 1 and (’ < 0.01, then: 


A 2 < y 2 < (1 + Me) ■ A 2 + C4 max 
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It should be noted that floating-point variants of BKZ cannot solve their 
internal SVP instantiations exactly: the best they can do is to solve (1 + e”)- 
SVP instantiations instead, for some small e”. However, with a small enough e”, 
this does not change significantly the overall quality of the output bases. 

The two results above provide as good as could be expected correctness guar- 
antees to the floating-point enumeration. However, since the algorithm is not 
the rational one, the complexity analyzes do not hold anymore. The following 
theorem shows that the overhead of the floating-point enumeration with respect 
to the rational one is small. 

Theorem 4. Consider the floating-point KFP algorithm, described in Subsec- 
tion 1,7. 11 with either of the update functions and either the knowledge of the ba- 
sis or the Gram-Schmidt coefficients or only approximations thereof. Let 7 = 
|| JVsoZj 6 j|| be the norm of the found solution. We suppose that e' < 0.01. 
Then the number of loop iterations is lower than the number of loop itera- 
tions of the rational algorithm given the genuine basis and an input bound A' = 
(1 + de) ■ A + C 4 max ^1, J p d e ■ R. 

As a consequence of Theorems El and EJ the cost of Kannan’s algorithm J19) can 
be decreased from Poly(n,logH)-d^( 1+0 ( 1 ^ (see ft~l l to [d^ + Poly(n, log B)^j ■ 
d ° < ' d ' ) : it suffices to use rationals everywhere but in the enumerations which should 
be performed with precision 0(d). 

4 Error Analysis of the Floating-Point Enumeration 

We now turn to the proofs of Theorems El 01 an d El We proceed by proving that 
the computed lengths £* of the projected vectors are accurate. Lemma d means 
that I\ cannot be much larger than £ 1 , which suffices for Theorem 01 For the 
other results, we need the converse: Lemma El means that the true ii cannot 
be much larger than the computed one. The proofs of Lemmata 0 and El are 
explained in Subsection 14.21 

As mentioned in Section 01 an A; computed by the floating-point algorithm 
may not correspond to any A computed by the rational one with the same 
bound A, and vice-versa. To be rigorous, we need the following definitions. 
For x G Z d , we let n(x) = || J2i = 1 x ffii\\ 2 and h(x) its approximation as would 
be computed by the enumeration were the state (1, [aq, . . . , ®g]i) visited. We use 
the notations and hypotheses of Subsection 13.11 

Lemma 1. Suppose that Cip d • e < 0.01. Let x G Z d . If n(x) < r%, then: 
h(x) < (1 + 2 de) ■ n(x) + C^p d e ■ R. 

Lemma 2. Suppose that e ' < 0.01. Let x G Z d and i < d. We consider the 
state ( i , [xi, . . . ,x,j\). Then 

«,<(! + *)• J.- + C sm ax(l,M|±^)) 


p d e-R. 
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4.1 Using Lemmata E and 0 to Prove the Theorems 

Let us first prove Theorem E| from Lemma d Let (x\ . . . . . x,i) be the coordi- 
nates of a shortest vector. If the state (l,x) is considered by the floating-point 
algorithm with A > (1 + 2 de) ■ A 2 + C^p d e ■ R, then a shortest vector will be 
found. Making sure that (1, x) is indeed considered is the purpose of the follow- 
ing lemma. It relies on subtle properties of the floating-point model, in particular 
that the rounding is a non-decreasing function. 

Lemma 3. If one uses the updatej function within the enumeration, then all 
coordinate vectors x such that h(x) < A will indeed be considered during the 
execution. 

Proof. Let x £ Z d with h(x) < A. We show by induction on decreasing i 
that (i,[xi, . . . ,Xd\) is considered and that at this moment the test < A 
is satisfied. Let i < d. We consider the sequence (oi, . . . , a T ) of considered 
states (i,[X,Xi+ i,...,^]) with X £ Z. It is non-empty if i = d, and it is 
also non-empty if * < d by induction hypothesis. 

The sequence is non-decreasing. The first integer X = Xi(oi) is 

exactly \_Ci\ . The computation of Xi(a t ) from Xi(a t - i) is exact, and the distance 
between Xi{o t ) and c t is non-decreasing. Since the rounding function is non- 
decreasing, the sequence (j/*(ot)) t is also non-decreasing. For the same reason, 
the sequence is non-decreasing. 

Consider the value I of were it computed with (x,;, . . . , x,j). We have i < 
nix) < A. Since li(cr T ) > A, there must exist t such that Xi{af) = x, and the 
test < A is satisfied for that state o t . □ 

We now prove Theorem 01 If we use update 2 , the bound A may decrease during 
the execution, to finally reach a value A en( ] . The final output would have been 
the same if we had started with A = A enf j. We consider that it is the case, 
which implies that A is not modified during the execution. Let x G 7L d such 
that n(x) = A 2 . Lemma d implies that h(x) < (1 + 2 de) ■ A 2 + C^p d e ■ R. We 
must have A < (1 + 2 de) ■ A 2 + C^p d e ■ R since otherwise A would have been 
decreased after x was found. Applying Lemma 0 with sol and using the above 
bound on A provides the result. 

For Theorem^ consider a state (i, [x, , . . . , x;,i\) with a successful test < A. 
Lemma. 0 gives li < (1 + de) ■ A + C 3 max ^1, ■ R < A'. Therefore, 

the exact algorithm with the bound AI would have considered this state and the 
corresponding test would have been successful as well. Moreover, there are as 
many failed loop iterations with i < d as successful loop iterations with £ > 1 . 
This completes the proof. 


4.2 Proving Lemmata Q] and El 

The proofs of Lemmata d and 0 rely on standard techniques of floating-point 
error analysis. We simultaneously bound the errors and the variables, which leads 
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us to use an induction on the decreasing index i. Within the induction step, we 
rely on three basic facts whose proofs are tedious but straightforward. They are 
given in the appendix of the full version. 

Lemma 4. Suppose that C- 2 p d e < 0.01. Suppose we are at the end of Step 4 of 
some loop iteration with state ( i , [x ,. .... x<f\). If there exists a constant v > 1 
such that for any j > i we have yj < i then 

Act < C 2 ua d ( 1 + rj) d ~ t e an d Ayi < pie/2 + KC 2 va d ( 1 + rf) d ~ % e. 
Lemma 5. At Step 4 of the floating-point algorithm, we have: 

I (Pi ® Pi) <8 n - nyH < RK 2 [(k + 1 )y 2 e + (2 y t + Ay^Apt] 

Lemma 6. Suppose that C 2 p d e < 0.01. Suppose we are at the end of Step 4 of 
some loop iteration with state (i,[xi, . . . ,xj[). If there exists a constant v > 1, 
such that for any j > i we have pi < then: 

Ali < de ■ t{ + C 3 v % p d e ■ R and Ali <de-li + C 3 v 2 p d e ■ R. 

We can now prove Lemma 0 Let x £ Z d such that ri(x) < n. Since the basis 
is LLL-reduced, the yf s corresponding to w satisfy pi < \/n(x)/ri < \/r\Jrl < 
a* -1 . The first part of Lemma, E] with v = 1 provides the result. 

Finally, we prove Lemma El Let x £ Z d and i < d. We show by induction 
on j decreasing from d to i that the bound on Acj of Lemma 0] holds and that 

we have yj < ua J ~ l , with v = max ^1, ■ Lemma El will then follow 

from the second part of Lemma 0 Let j > i. By induction, we have Pk < va k ~ x 
for any k > j, so that the bounds of Lemma 0 hold. It remains to see that yj < 
vai- 1 . Lemmata El and 0 provide: 

rjPj < tj < lj + Alj < Klj + Ai j+ x + | (yj ® yj) 0 fj - rjy 2 \ 

< Klj + delj + C 3 v 2 p d eR + RK 2 [(k + 1 )y 2 e + (2 yj + Ayj)Ayj] . 

We use Lemma 0 to bound Ayj in the equation above. This leads P(yj) < 0, 
where P is the degree-2 polynomial with coefficients: 

P 0 = —lj {K + de) - C 3 v 2 Rp d e - RK\C 2 vp d e) 2 , 

P x = -2RK A C2va d ~i{l + y) d e and P 2 = rj - 2 RK 3 (k + l)e. 

The fact that e! < 0.01 implies that P 2 > 0 and thus that y :j is below the positive 
root of P. It can be checked that Piva 3 ^ 1 ) > 0, which implies that yj < va 3 ~ [ . 
This completes the proof. 

5 Practical Considerations 

The algorithm described in Section 0 has been implemented in C++ and is freely 
distributed within fplll-3.0 0 ■ The code does not use the worst-case bounds 
above but remains guaranteed, as explained below. We also explain how our 
results may be used within BKZ-style algorithms. 
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5.1 Guaranteeing the Computations with Smaller Precision 

The worst-case bounds given in Sectional are very pessimistic for generic instan- 
tiations. This is due to the facts that all | Fiji’s (resp. rj_i/rj’s) are bounded by 
their worst-case value 77 (resp. a 2 ) and all floating-point errors are considered 
to be always maximal and in the worst direction. Although they might occur, 
cases where all these bounds are tight are unlikely. In the worst-case analy- 
sis, we also use loose bounds to simplify the technicalities, though they do not 
modify the terms that are exponential with d. For (6, rf) = (0.99,0.51), if the 
Gram-Schmidt coefficients are correct up to their last bit (k < 1), the provably 
sufficient precision for a d-dimensional enumeration is ~ 0.8 • d (when d grows to 
infinity). To take advantage of the machine instructions, one is tempted to use 
double precision, i.e., e = 2 -52 . In that case, the enumeration is guaranteed up 
to dimension « 45 (for an output relative error < 1%). 

In practice, one should rather turn the worst-case error analysis into an algo- 
rithm. One can use the values the actual Gram-Schmidt coefficients rather than 
general upper bounds. If they are known approximately, one should take into 
consideration their intrinsic inaccuracies. The adaptive precision computation 
uses 0(d 2 ) arithmetic operations: Lemmata 0 and 0 are applied 0(d) times each 
and both perform 0(d) operations. This computation is thus dominated by the 
enumeration. The error computations are themselves performed in floating-point 
arithmetic, but one should be cautious with the rounding modes: since we try to 
upper bound a quantity, the default rounding to nearest should be replaced by 
roundings towards infinities and zero. In the code, we used MPFR j3Dj for that 
purpose. 

The table below illustrates the above technique. Each entry corresponds to 10 
samples of the following experiment. A ( d+ 1) X d matrix B is sampled: for any i, 
B[l,i\ is a random integer with 100 • d bits, B[i + 1, i] is 1 and the other entries 
are 0. The columns of the matrix B are then (0.99, 0.51)-LLL-reduced. Then 
the adaptive precision computation is performed. The precision is computed so 
that the algorithm is guaranteed to solve 1.01-SVP. One observes that double 
precision suffices for dimensions up to 90, which is higher than what is currently 
handleable in practice. 


Dimension d 

20 30 40 50 60 70 80 

Worst-case required precision (Theorem 0) 

33 41 49 57 66 74 82 

Adaptively computed required precision 
(worst-case over the samples) 

20 25 29 33 38 42 47 


5.2 Enumerating within BKZ-Style Algorithms 

With the floating-point LLL of Nguyen and Stehle m and the present results, 
one may use floating-point arithmetic within BKZ-style algorithms in a guar- 
anteed way. However, it is not clear yet how to maximize the efficiency while 
doing this. As a target, double precision should be used as much as possible, 
since multi-precision arithmetic is significantly slower. 
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A first solution consists in performing all operations with the same provably 
sufficient precision, provided by the bounds given in Section Elafter replacing k by 
the bounds of Theorem Q] and R by 2a 2d ■ n (the vectors whose rys are > a 2d ri 
cannot be used to create a vector of minimal non-zero length). Though the 
precision remains 0(d), it will be fairly large and slow multi-precision arithmetic 
will be necessary. It can be checked that the required precision can be decreased 
by a constant factor by noticing that in Theorem El the errors on /qj and r,- 
depends on j. 

Another possibility is to use a Gram-Schmidt orthogonalization with very 
high precision and then use the adaptive precision estimate described above. 
Double precision is likely to be sufficient for all reasonable values of the hierar- 
chy parameter k, making the computed approximations to the Gram-Schmidt 
coefficients correct up to relative error 2 -53 . Since the enumerations are likely 
to dominate the overall cost, it is worth using multi-precision arithmetic to com- 
pute accurate Gram-Schmidt coefficients in order to be allowed double precision 
within the enumerations. 

If the Gram-Schmidt computations are not negligible with respect to the 
enumerations, then one could try using double precision in all computations. 
This may be done by relying with the following strategy: 

— Run the floating-point LLL algorithm with double precision for the Gram- 
Schmidt computations, with infinite loop detection (see (SI). 

— If the double precision seemed to suffice (i.e., the execution terminated with- 
out an infinite loop detection), compute a posteriori accuracy bounds as 
described by Villard in BS|. 

— Run the adaptive precision computation to see if double precision suffices 
for the enumeration. 

6 Concluding Remarks 

We proved strong numerical properties of the KFP enumeration algorithm, which 
gives a stronger insight about the use of floating-point arithmetic within lattice 
reduction algorithms. To obtain a full hierarchy of reduction algorithms ranging 
from LLL to HKZ that efficiently relies on floating-point arithmetic, it only 
remains to see how to combine our new results with those on floating-point LLL 
from 123 • It would also be interesting to devise new techniques to decrease the 
required precision in order to be able to use double precision as often as possible. 

However, we answered only one of the two main troubles related to BKZ-style 
algorithms: it is still unknown how to best use small dimensional lattice enu- 
meration within a large dimensional reduction. It would be desirable to have an 
algorithm which is theoretically at least as good as the best current one (1 ( , that 
would beat BKZ in practice and whose behavior would be perfectly understood. 
Once this will be done, there will remain to mount massive computational 
projects to assess the limits of current computers against lattice-based cryptog- 
raphy. It will then make sense to run the enumeration on hardware. Our analysis 
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extends to fixed-point arithmetic, which is the natural arithmetical choice in 

hardware. 
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Abstract. We study the problem of finding solutions to linear equations 
modulo an unknown divisor p of a known composite integer N. An im- 
portant application of this problem is factorization of N with given bits 
of p. It is well-known that this problem is polynomial-time solvable if at 
most half of the bits of p are unknown and if the unknown bits are lo- 
cated in one consecutive block. We introduce an heuristic algorithm that 
extends factoring with known bits to an arbitrary number n of blocks. 
Surprisingly, we are able to show that ln(2) » 70% of the bits are suffi- 
cient for any n in order to find the factorization. The algorithm’s running 
time is however exponential in the parameter n. Thus, our algorithm is 
polynomial time only for n = O (log log N) blocks. 

Keywords: Lattices, small roots, factoring with known bits. 

1 Introduction 

Finding solutions to polynomial modular equations is a central mathematical 
problem and lies at the heart of almost any cryptanalytic approach. For in- 
stance, most symmetric encryption functions can be interpreted as polynomial 
transformations from plaintexts to ciphertexts. Solving the corresponding poly- 
nomial equations yields the secret key. 

Among all polynomial equations the linear equations /(: n, . . . , x n ) = a\X\ + 
a- 2 X -2 + • • • + a n x n play a special role, since they are often easier to solve. Many 
problems already admit a linear structure. For instance, the subset sum problem 
for finding a subset of s%, . . . , s n that sums to t asks for a 0,1-solution (yi,..., y„) 

of the linear equation sixi H \-s n x n — t = 0. Special instances of this problem 

can be solved by lattice techniques |C.IL+92J . 

Although many problems are inherently of non-linear type, solution strategies 
for these problems commonly involve some linearization step. In this work, we ad- 
dress the problem of solving modular linear equations f(x \, . . . , x n ) = 0 mod N 
for some N with unknown factorization. Note that modular equations usually 

* This research was supported by the German Research Foundation (DFG) as part of 
the project MA 2536/3-1. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 406 |424j 2008. 
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have many solutions (yi, ■ ■ ■ ,y n ) € An easy counting argument however 
shows that one can expect a unique solution whenever the product of the un- 
knowns is smaller than the modulus - provided the coefficients a* are uniformly 
distributed in Z N . More precisely, let X, be upper bounds such that \'tji\ < Xj 
for i = 1 . . . n. Then one can roughly expect a unique solution whenever the 
condition Xj < N holds. 

It is folklore knowledge that under the same condition ]^ - Xj < N the unique 
solution (yi , . . . , y n ) can heuristically be recovered by computing a shortest vec- 
tor in an n-dimensional lattice. In fact, this approach lies at the heart of many 
cryptanalytic results (see e.g. |GM97I IN SOU [Ngu(J4| IBM()T)j 'l. If in turn we have 
Ilj Xj > N 1+e then the linear equation usually has N e many solutions, which is 
exponential in the bit-size of N. So there is no hope to find efficient algorithms 
that in general improve on this bound, since one cannot even output all roots in 
polynomial time. 

In the late 80’s, Hastad |Ha,s88j and Toffin, Girault, Vallee fGTVSSj extended 
the lattice-based approach for linear equations to modular univariate monic poly- 
nomials f{x) = ao + &IX + ■ ■ ■ + ag-ix s ~ x + x s . In 1996, Coppersmith |Cop96b| 
further improved the bounds of jHas88L I CTV88| to |xo| < Ni for lattice-based 
solutions that find small roots of f(x). For modular univariate polynomials f(x) 
there are again counting arguments that show that this bound cannot be im- 
proved in general. Even more astonishing than the improved bound is the fact 
that Coppersmith’s method does neither rely on a heuristic nor on the computa- 
tion of a shortest vector, but provably provides all roots smaller than this bound 
and runs in polynomial time using the L 3 algorithm 11.1.1.82 . 

In the same year, Coppersmith |Cop96a| formulated another rigorous method 
for bivariate polynomials f(x,y), see also |Cor()7j . This method has several nice 
applications, most notably the problem of factoring with high bits known and 
also an algorithm that shows the deterministic polynomial time equivalence of 
factoring and computing the RSA secret key |May()4[ ICM07| . In the factoring 
with high bits known problem, one is given an RSA modulus N = pq and an 
approximation p of p. This enables to compute an approximation q of q, which 
leads to the bivariate polynomial equation f(x, y) = {p+ x)(q + y) — N. Finding 
the unique solution in turn enables to factor. Coppersmith showed that this can 
be done in polynomial time given 50% of the bits of p and thereby improved 
upon a result from Rivest and Shamir |RS85j . who required 60% of the bits of 
p. Using an oracle that answers arbitrary questions instead of returning bits of 
the prime factor, Maurer |Mau95j presented a probabilistic algorithm based on 
elliptic curves, that factors an integer N in polynomial time making at most 
e log IV oracle queries for any e > 0. 

In 2001, Howgrave-Graham jHGOIj gave a reformulation of the factoring with 
high bits known problem, showing that the remaining bits of p can be recovered 
if gcd(p + x, N) is sufficiently large. This can also be stated as finding the root 
of the linear monic polynomial f(x) = p + x mod p where p > N@ for some 
0 < (3 < 1. Later, this was generalized by May |May03| to arbitrary monic 
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modular polynomials of degree 8 which results in the bound a,'o < N~s~. The 
result for factoring with high bits known follows for the choice (3 = ^ , 8 = 1 . 

Notice that in the factoring with high bits known problem, the unknown bits 
have to be in one consecutive block of bits. This variant of the factorization 
problem is strongly motivated by side-channel attacks that in most cases enable 
an attacker to recover some of the bits of the secret key. The attacker is then left 
with the problem of reconstructing the whole secret out of the obtained partial 
information. Unfortunately, the unknown part is in general not located in one 
consecutive bit block but widely spread over the whole bit string. This raises the 
question whether we can sharpen our tools to this general scenario. 

Our contribution: We study the problem of finding small roots of linear mod- 
ular polynomials f(x i, . . . , x n ) = a\X\ + 02 X 2 + ■ • • + a n x n + a n+ 1 mod p for 
some unknown p > N' 3 that divides the known modulus N. This enables us 
to model the problem of factoring with high bits known to an arbitrary number 
n of unknown blocks. Namely, if the fc-th unknown block starts in the f-tli bit 
position we choose ak = 2 e . 

We are able to show an explicit bound for the product X, = N 1 , where 
7 is a function in /3 and n. For the special case in which p = N, i.e. j3 = 1 
and the modulus p is in fact known, we obtain the previously mentioned folklore 
bound XL, Xi < N. Naturally, the larger the number n of blocks, the smaller 
is the bound for J J ; X- L and the larger is the running time of our algorithm. In 
other words, the larger the number of blocks, the more bits of p we do have to 
know in the factoring with known bits problem. What is really surprising about 
our lattice-based method is that even for an arbitrary number n of blocks, our 
algorithm still requires only a constant fraction of the bits of p. More precisely, 
a fraction of ln(2) 70% of p is always sufficient to recover p. 

Unfortunately, the running time for our algorithm heavily depends on n. 
Namely, the dimension of the lattice basis that we have to L 3 -reduce grows expo- 
nentially in n. Thus, our algorithm is polynomial time only if n = £9 (log log N). 
For larger values of n, our algorithm gets super-polynomial. To the best of 
our knowledge state-of-the-art general purpose factorization algorithms like the 
GNFS cannot take advantage of extra information like given bits of one of the 
prime factors. Thus, our algorithm still outperforms the GNFS for the factoring 
with known bits problem provided that n = o(log 3 N log log 3 N). 

We would like to notice that our analysis for arbitrary n yields a bound 
a X, < TV 7 that holds no matter how the size of the unknowns are distributed 
among the Xi . In case the X, are of strongly different sizes, one might even 
improve on the bound TV 7 . For our starting point n = 2, we sketch such a general 
analysis for arbitrary sizes of X\, X-i- The analysis shows that the bound for the 
product X\X 2 is minimal when X\ = X 2 and that it converges to the known 
Coppersmith result N* in the extreme case, where one of the Xi is set to X, = 1 . 

Notice that if one of the upper bounds is set to X, = 1 then the bivariate 
linear equation essentially collapses to a univariate equation. In this case, we 
also obtain the bound N* for the factoring with known bits problem. Thus, our 
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algorithm does not only include the folklore bound as a special case but also the 
Coppersmith bound for univariate linear modular equations. 

As our lattice-based algorithm eventually outputs multivariate polynomials 
over the integers, we are using a well-established heuristic |(Jop!J7[ IBLKKJj for 
extracting the roots. We show experimentally that this heuristic works well in 
practice and always yielded the desired factorization. In addition to previous 
papers that proposed to use resultant or Grobner basis computations, we use 
the multidimensional Newton method from numerical mathematics to efficiently 
extract the roots. 

The paper is organized as follows. Section [2] recalls basic lattice theory. In 
Sectional we give the analysis of bivariate linear equations modulo an unknown 
divisor. As noticed before, we prove a general bound that holds for all distribu- 
tions of X \ , X-i as well as sketch an optimized analysis for strongly unbalanced 
Xi, X 2 . Section 01 generalizes the analysis to an arbitrary number n of variables. 
Here, we also establish the ln(2) ps 70% result for factoring with known bits. We 
experimentally verify the underlying heuristic in Section 0 


2 Preliminaries 

Let 61, . . . ,bk be linearly independent vectors in R". Then the lattice spanned 
by 61, . . . , bk is the set of all integer linear combinations of bi,...,bk- We call 
bi , . . . , bk a basis of L. The integer k is called the dimension or rank of the lattice 
and we say that the lattice has full rank if k = n. 

Every nontrivial lattice in R" has infinitely many bases, therefore we seek 
for good ones. The most important quality measure is the length of the basis 
vectors which corresponds to the basis vectors’ orthogonality. A famous theorem 
of Minkowski MuiKij relates the length of the shortest vector in a lattice to the 
determinant: 

Theorem 1 (Minkowski). In an uj- dimensional lattice, there exists a non-zero 
vector v with 

IM| < -v/wdefyi)-. (1) 

In lattices with fixed dimension we can efficiently find a shortest vector, but for 
arbitrary dimensions, the problem of computing a shortest vector is known to 
be NP-hard under randomized reductions |Ajt98| . The L 3 algorithm, however, 
computes in polynomial time an approximation of the shortest vector, which is 
sufficient for many applications. The basis vectors of an T 3 -reduced basis fulfill 
the following property (for a proof see e.g. |May03| ). 

Theorem 2 (L 3 ). Let L be an integer lattice of dimension uj. The L 3 algorithm 
outputs a reduced basis spanned by {ui . . . , v u } with 

IMI < IHI < ... < INI < 2 ^+i-q det(L)=*i=fy i= l,...,w (2) 


in polynomial time. 
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The underlying idea of Coppersmith’s method for finding small roots of polyno- 
mial equations is to reduce the problem of finding roots of f(xi , . . . , x n ) mod p 
to finding roots over the integers. Therefore, one constructs a collection of poly- 
nomials that share a common root modulo p m for some well-chosen integer to. 
Then one finds an integer linear combination which has a sufficiently small norm. 
The search for such a small norm linear combination is done by defining a lattice 
basis via the polynomials’ coefficient vectors. An application of L 3 yields a small 
norm coefficient vector that corresponds to a small norm polynomial. 

The following lemma due to Howgrave-Graham gives a sufficient con- 

dition under which modular roots are also roots over Z and quantifies the term 
sufficiently small 

Lemma 1. Let g{ x\, . . . , x n ) G Z[aii, . . . , x n \ be an integer polynomial with at 
most uj monomials. Suppose that 

1. g(y i, ...,y n ) = 0 mod p m for |t/i| < Ad, ... , \y n \ < X n and 

2. \\g(x 1 X 1 ,...,x n X n )\\<^ 

Then g(yi, . . . , y n ) = 0 holds over the integers. 

Our approach relies on heuristic assumptions for computations with multivariate 
polynomials. 

Assumption 1 . Our lattice-based construction yields algebraically independent 
polynomials. The common roots of these polynomials can be efficiently computed 
using numerical methods. 

The first part of Assumption Q assures that the constructed polynomials allow 
for extracting the common roots, while the second part assures that we are able 
to compute these common roots efficiently. We would like to point out that 
our subsequent complexity considerations solely refer to our lattice-based con- 
struction, that turns a linear polynomial f(x i, . . . , x n ) mod p into n polynomials 
over the integers. We assume that the running time for extracting the desired 
root out of these n polynomials is negligible compared to the time complexity 
of the lattice construction. We verify this experimentally in Section 0 Usually, 
our method yields more than n polynomials, so one can make use of additional 
polynomials as well. 

3 Bivariate Linear Equations 

The starting point of our analysis are bivariate linear modular equations 
f(xi,x 2 ) = a\X\ + 02X2 + a 3 mod p. The parameter p is unknown, we only 
know a multiple N of p, and the parameter /3 that quantifies the size relation 
p > iW. Let Xi, X2 be upper bounds on the desired solution y\, y-2. respectively. 
Moreover, we require that our linear polynomial is monic with respect to one of 
the variables, i.e. either ai — 1 or 02 = 1. This is usually not a restriction, since 
we could e.g. multiply f{x\ . X2) by af 1 mod N. If this inverse does not exist, we 
can factorize N. 
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In the following theorem, we give an explicit bound on X1X2 under which 
we can find two polynomials gi(xi,X2 ) and 32(^1, ^2) that evaluate to zero at 
all small points (2/1 , 2/2) with I2/12/2I < XiX 2 - Under the heuristic that g\ and g 2 
are algebraically independent, all roots smaller than XiX 2 can be recovered by 
standard methods over the integers. 

Theorem 3. Let e > 0 and let N be a sufficiently large composite integer with 
a divisor p > . Furthermore, let f(xi,x 2 ) G Z[xi,x 2 ] be a linear polynomial 

in two variables. Under Assumption 0 we can find all solutions (2/1, 2/2) of the 
equation f(x i,asa) = 0 modp with \yi\ < A 7 and I2/2I < N s if 

, y + 6<3/3 — 2 + 2(1 — j3)% — e (3) 

The algorithm’s time and space complexity is polynomial in log N and e -1 . 

Before we provide a proof for Theorem 0 we would like to interpret its im- 
plications. Notice that Theorem 0 yields in the special case (3 = 1 the bound 
X1X2 < A 1_c that corresponds to the folklore bound for linear equations. Since 
we are unaware of a good reference for the folklore method in the cryptographic 
literature, we briefly sketch the derivation of this bound in Appendix El Thus, 
our result generalizes the folklore method to more general moduli. 

On the other hand, we would like to compare our result with the one of 
Coppersmith for factoring with high bits known when p, q are of equal bit-size, 
i.e. (3 = \. Coppersmith’s result allows a maximal size of A 0 ' 25 for one unknown 
block. Our result states a bound of A 0 207 for the product of two blocks. The 
best that we could hope for was to obtain a total of A 0 25 for two blocks as well. 
However, it seems quite natural that the bound decreases with the number n of 
blocks. On the other hand, we are able to show that if the unknown blocks are 
significantly unbalanced in size, then one can improve on the bound A 0 207 . It 
turns out that the more unbalanced Xj , X2 are, the better. In the extreme case, 
we obtain X\ = A 0 25 , X2 = 1. Notice that in this case, the variable X2 vanishes 
and we indeed obtain the univariate result A 0 25 of Coppersmith. Hence, our 
method contains the Coppersmith-bound as a special case as well. We give more 
details after the following proof of Theorem 0 

Proof. Define X\X 2 := N 3 0~ 2 + 2 U-0) 2 ~ e and fix m = j . 

We define a collection of polynomials which share a common root modulo p* 
by 

gk,i{x 1, x 2 ) := x\f k (x-L, x 2 )N max{t ~ k ' 0} (4) 

for k = 0 , ..., to; i = 0, ..., m — k and some t = rm, that will be optimized later. 

We can define the following polynomial ordering for our collection. Let gk,i, gi,j 
be two polynomials. If k < l then gk t i < gij, if k = l then g^i < gij i < j. If 
we sort the polynomials according to that ordering, every subsequent polynomial 
in the ordering introduces exactly one new monomial. Thus, the corresponding 
coefficient vectors define a lower triangular lattice basis, like in Figured 
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Fig. 1. Basis Matrix in Triangular Form 

From the basis matrix we can easily compute the determinant as the product 
of the entries on the diagonal as det(L) = X Sx Y s y N SN , where 

s x = s y = i ( m 3 + 3 m 2 + 2m), sjy = + 1 — i)(Tm — i ) (5) 

Now we apply L 3 basis reduction to the lattice basis. Our goal is to find two 
coefficient vectors whose corresponding polynomials contain all small roots over 
the integer. Theorem |2] gives us an upper bound on the norm of a second-to- 
shortest vector in the T 3 -reduced basis. If this bound is in turn smaller than 
the bound in Howgrave-Graham’s lemma (Lemma QJ, we obtain the desired two 
polynomials. I.e., we have to satisfy the condition 

det(L)' 3 = T < dr (6) 

where d is the dimension of the lattice L, which in our case is d = |(m 2 +3m+2). 
If we plug in the value for the determinant and use the fact that s x = ! y, we 
obtain the condition 

XiX 2 < 2 (7) 
Setting t = 1 — y/1 — (3, the exponent of N can be lower bounded by 

3/3 - 2 + 2(1 - /?)! - 3/? & + — S . (8) 

[Details can be found in Appendix 0] 

Comparing this with the value of XiX 2 , which we defined in the beginning, 
we can express how m depends on the error term e: 

m rir±riER . (9) 


which holds for our choice of m. Therefore, the required condition is fulfilled. 
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It remains to show that the algorithm’s complexity is polynomial in log (TV) 
and e _1 . The running time is dominated by L 3 reduction, which is polynomial 
in the dimension of the lattice and in the bitsize of the entries. Recall that our 
lattice’s dimension is 0{m 2 ) and therefore polynomial in e _1 . For the matrix 
entries we notice that the power f k in the gk/s can be reduced modulo N k , since 
we are looking for roots modulo N k . Thus, the coefficients of f k N max ( Tm - k >°) 
have bitsize 0(rn log (TV)). Powers of X 2 appear only with exponents up to m 
and therefore their bitsize can also be upper bounded by 0{m\og{N)). Thus, 
the coefficients’ bitsize is 0(e~ 1 log(TV)). 

Remark: We also analyzed the bivariate modular instance as a trivariate equation 
over the integers, which is modelled by 


(a\X\ + a 2 x 2 + a$)y — N = 0, 


(10) 


. It turns out that we obtain the same bounds as in the 


where y stands for 
modular case. 

Theorem 01 holds for any bounds X \ , X 2 within the proven bound for the 
product X\X 2 . As pointed out before, the analysis can be improved if one of 
the bounds is significantly smaller than the other one, say X\ -C X 2 . Then one 
should employ additional extra shifts in the smaller variable, which intuitively 
means that the smaller variable gets stronger weight since it causes smaller costs. 

We do not give the exact formulas for this optimization process. Instead, we 
show in Figure |21 the resulting graph that demonstrates how the result converges 
to the known bound TV 0 25 for unbalanced block-sizes. 

Notice that the result from Theorem 0 is indeed optimal not only for equal 
block-sizes X\ = X 2 but for most of the possible splittings of block-sizes. Only 
in extreme cases a better result can be achieved. In the subsequent chapter, we 
generalize Theorem 0 to an arbitrary number n of blocks. In the generalization 
however, we will not consider the improvement that can be achieved for strongly 
imbalanced block-sizes. 

Naturally, the bounds TV 0 - 25 for n = 1 and 6 
jyO.207 £ or n — 2 get worse for arbitrary n. But 
surprisingly, we will show that for n — > oc the 
bound does not converge to N° as one might ex- 
pect, but instead to TV 0 - 153 . To illustrate this re- 
sult: If N is a 1000-bit modulus and p, q are 500 
bit each. Then 153 bit can be recovered given the 
remaining 347 bits, or 69.4% of p, in any known 
positions. However as we will see in the next sec- 
tion, the complexity heavily depends on the num- 
ber of unknown blocks. 

Fig. 2. Optimized Result 



4 Extension to More Variables 

In this section, we generalize the result of Section 0 from bivariate linear equa- 
tions with n = 2 to an arbitrary number n of variables Xi, ... ,x n . 
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Let Xi,X%, . . . , X n be upper bounds for the variables x\, x 2 , . . . , x n . As in 
Theorem 0 we will focus on proving a general upper bound for the product 
XiX -2 . . . X n that is valid for any X\,X 2 , . . . , X n . Similar to the reasoning in 
Section 0 it is possible to achieve better results for strongly unbalanced X t by 
giving more weight to variables Xi with small upper bounds. Although we did not 
analyze it, we strongly expect that in the case X\ = A 0 - 25 , X 2 = ■ ■ ■ = X n = 1 
everything boils down to the univariate case analyzed by Coppersmith/Howgrave- 
Graham - except that we obtain an unnecessarily large lattice dimension. 

Naturally, we achieve an inferior bound than A 0 ' 25 . But in contrast, our bound 
holds no matter how the sizes of the unknowns are distributed among the upper 
bounds Xi. Let us state our main theorem. 

Theorem 4. Let e > 0 and let N be a sufficiently large composite integer with 
a divisor p > N@. Furthermore, let f(x i, . . . ,x n ) e Z[aq , . . . ,*„] be a monic 
linear polynomial in n variables. Under Assumption 0 we can find all solutions 


(t/i,..., y n ) of the equation f(x i, . . . , x n ) = 0 modp with \yi\ < A’ 71 , . . . , \y n \ < 
A 7 ” if 



The time and space complexity of the algorithm is polynomial in log N and (§)", 
where e is Euler’s constant. 

We will prove Theorem 0 at the end of this section. Let us first discuss the 
implications of the result and the consequences for the factoring with known bits 
problem. First of all, the algorithm’s running time is exponential in the number 
n of blocks. Thus in order to obtain a polynomial complexity one has to restrict 


/ log log A \ 

U + log (f)J 


This implies that for any constant error term e, our algorithm is polynomial time 
whenever n = 0 (log log A). 

The proof of the following theorem shows that the bound for Xi . . . X n in 
Theorem 0 converges for n — ► oo to A !3+ ( 1 ~ f3 ' 1 A 1-3 ). For the factoring with 
known bits problem with (3 = \ this yields the bound A^ 1_ln f 2 ^ « tv 0153 . This 
means that we can recover a (1 — ln(2)) « 0.306-fraction of the bits of p, or in 
other words an ln(2) « 0.694- fraction of the bits of p has to be known. 

Theorem 5. Let e > 0. Suppose A is a sufficiently large composite integer with 
a divisor p > N 13 . Further, suppose we are given an 



(12) 


fraction 


of the bits of p. Then, under Assumption 1, we can compute the unknown bits 
of p in time polynomial in log A and (§)", where e is Euler’s constant. 
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Proof. From Theorem 0] we know, that we can compute a solution to the equation 
ai:ri + 0 , 2 X 2 + . . . + a n x n + a n+ 1 = 0 mod p 

as long as the product of the unknowns is smaller than N 1 , where 7 = ^" 7 * 
is upper-bounded as in Inequality (ITTll . As noticed already, the bound for 7 
actually converges for n — * 00 to a value different from zero. Namely, 

Jiim (l-(l — /3)^-( n +l)(l- VWXl-iS)) =/?+(l-/3)ln(l-/3) 

(13) 

Hence, this is the portion of p we can at least compute, no matter how many 
unknowns we have. 

Conversely, once we have ((/? — 1) ln(l — fJ) + e) log (N) bits of p given together 
with their positions, we are able to compute the missing ones. Since log N < ^p, 
we need at most an ((1 — j|) ln(l — /?) + e)-fraction of the bits of p. 

Theorem 0 implies a polynomial-time algorithm for the factoring with known 
bits problem whenever the number of unknown bit-blocks is n = Cl (log log N). 
However, the algorithm can be applied for larger n as well. As long as n is sub- 
polynomial in the bit-size of N, the resulting complexity will be sub-exponential 
in the bit-size of N. 

It remains to prove our main theorem. 

Proof of Theorem |1| 

Define H”=i X t := Let us fix 

n(±( 1 - /?)— 0-278465 _ _ fl)) 

e 

We define the following collection of polynomials which share a common root 
modulo p t 

9i 2 ,...,in,k = 4 2 ■ • • (15) 

where ij £ {0, such that Y^j -2 — m ~ k. The parameter t = rm 

has to be optimized. Notice that the set of monomials of g l . 2t ....i„.k defines an 
n-dimensional simplex. 

It is not hard to see that there is an ordering of the polynomials in such a 
way that each new polynomial introduces exactly one new monomial. Therefore 
the lattice basis constructed from the coefficient vectors of the <fc 2 s has 
triangular form, if they are sorted according to the order. The determinant det(L) 
of the corresponding lattice L is then simply the product of the entries on the 
diagonal: 

det(L) = f[X- Xi N SN , (16) 

i= 1 

with s Xi = (™ 1 ") and sjv = mdr— + (m(i-r)-i)’ w ^ ere ^ = C"^") * s t ^ ie 

dimension of the lattice. 
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Now we ensure that the vectors from L 3 are sufficiently small, so that we can 
apply the Lemma of Howgrave- Graham (Lemma QJ to obtain a solution over Z. 
We have to satisfy the condition 

24<d-n+i) det(L)^+r < d~^N 0Tm 

Using the value of the determinant in (ITT^I) and the fact that s Xi = we obtain 


n> 


V N (pmT(d-n+l)-, 




In AppendixOwe show how to derive a lower bound on the right-hand side for 
the optimal value r = 1 — (1 — /?) ». Using A, : = A 7i the condition reduces to 


X> i < l-(l-/3)^-(n+l)(l- VW)( 1-/3)- 


nH l-d)' ( 


-+/? Mi-/?)-- 


Comparing this to the initial definition of n"=i Ai> we obtain for the error term e 
nl(l-/3)~ 0 - 278465 


- + /31n(l -/?)— > -e 

__ «(£( 1 - / 3 )- 0-278465 _ _ py 


= 0 (- 


which holds for our choice of m. 

To conclude the proof, we notice that the dimension of the lattice is d = 
= 0( ) = 0( |h-). For the bitsize of the entries in the basis matrix 

we observe that we can reduce the coefficients of f 1 in g modulo N l . Thus the 
product f k ]\f ma *{ T m-k,o} j g U pp er bounded by B = m log(N). Further notice 
that the bitsize of A,] 2 . . . A* 2 is also upper bounded by m log (A) since U — 

m and A < A. 

The nmning time is dominated by the time to run L 3 -lattice reduction on a 
basis matrix of dimension d and bit-size B. Thus, the time and space complexity 
of our algorithm is polynomial in log A and (§)"■ □ 


5 Experimental Results 

We implemented our lattice-based algorithm using the L 2 -algorithm from 
Nguyen, Stehle jNS()5| . We tested the algorithm for instances of the factoring 
with known bits problem with n = 2,3 and 4 blocks of unknown bits. Tabled 
shows the experimental results for an 512-bit RSA modulus A with divisor p of 
size p > A a . 

For given parameters m, t we computed the number of bits that one should 
theoretically be able to recover from p (column pred of Table [Q . For each bound 
we made two experiments (column exp). The first experiment splits the bound 
into n equally sized pieces, whereas the second experiment unbalancedly splits 
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Table 1 . Experimental Results 


n 

m 

t 

dim(L) 

pred (bit) 

exp (bit) 

time (min) 

2 

15 

4 

136 

90 

45/45 

25 

2 

15 

4 

136 

90 

87/5 

15 

3 

7 

1 

120 

56 

19/19/19 

0.3 

3 

7 

1 

120 

56 

52/5/5 

0.3 

3 

10 

2 

286 

69 

23/23/23 

450 

3 

10 

2 

286 

69 

57/6/6 

580 

4 

5 

1 

126 

22 

7/6/6/6 

3 

4 

5 

1 

126 

22 

22/2/2/2 

4.5 


the bound in one large piece and n — 1 small ones. In the unbalanced case, we 
were able to recover a larger number of bits than theoretically predicted. This 
is consistent with the reasoning in Section El and El 

In all of our experiments, we successfully recovered the desired small root, 
thereby deriving the factorization of N. We were able to extract the root both by 
Grobner basis reduction as well as by numerical methods in a fraction of a second. 

For Grobner basis computations, it turns out to be useful that our algorithm 
actually outputs more sufficiently small norm polynomials than predicted by the 
L 3 -bounds. This in turn helps to speed up the computation a lot. 

As a numerical method, we used multidimensional Newton iteration on the 
starting point |(Xi,...,X„). Usually this did already work. If not, we were 
successful with the vector of upper-bounds (Xi, . . . , X n ) as a starting point. Al- 
though this approach worked well and highly efficient in practice, we are unaware 
of a starting point that provably lets the Newton method converge to the desired 
root. 

Though Assumption [I] worked perfectly for the described experiments, we also 
considered two pathological cases, where one has to take special care. 

First, a problem arises when we have a prediction of k bits that can be re- 
covered, but we use a much smaller sum of bits in our n blocks. In this case, 
the smallest vector lies in a sublattice of small dimension. As a consequence, 
we discovered that then usually all of our small norm polynomials shared f(x ) 
as a common divisor. When we removed the gcd, the polynomials were again 
algebraically independent and we were able to retrieve the root. Notice that re- 
moving f(x) does not eliminate the desired root, since f(x) does not contain the 
root over the integers (but mod p). 

A second problem may arise in the case of two closely adjacent unknown 
blocks, e.g. two blocks that are separated by one known bit only. Since in com- 
parison with the n-block case the case of n — 1 blocks gives a superior bound, 
it turns out to be better in some cases to merge two closely adjacent blocks 
into one variable. That is what implicitly seems to happen in our approach. 
The computations then yield the desired root only in those variables which 
are sufficiently separated. The others have to be merged before re-running the 
algorithm in order to obtain all the unknown bits. Alternatively, we confirmed 
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experimentally that merging the nearby blocks from the beginning immediately 
yields the desired root. 

Both pathological cases are no failure of Assumption d since one can still 
easily extract the desired root. All that one has to do is to either remove a gcd 
or to merge variables. 

6 Conclusion and Open Problems 

We proposed a heuristic lattice-based algorithm for finding small solutions of 
linear equations a\X\ + • • • + a n x n + a n+ 1 = 0 mod p, where p is an unknown 
divisor of some known N. Our algorithm gives a solution for the factoring with 
known bits problem given ln(2) « 70% of the bits of p in any locations. 

Since the time and space complexity of our algorithm is polynomial in log N 
but exponential in the number n of variables, we obtain a polynomial time al- 
gorithm for n = 0(log log N) and a subexponential time algorithm for n = 
o(log N). This naturally raises the question whether there exists some algorithm 
with the same bound having complexity polynomial in n. This would immedi- 
ately yield a polynomial time algorithm for factoring with 70% bits given, inde- 
pendently of the given bit locations and the number of consecutive bit blocks. 
We do not know whether such an algorithm can be achieved for polynomial 
equations with unknown divisor. On the other hand, we feel that the complexity 
gap between the folklore method for known divisors with complexity linear in n 
and our method is quite large, even though the folklore method relies on much 
stronger assumptions. 

Notice that in the factoring with known bits problem, an attacker is given the 
location of the given bits of p and he has to fill in the missing bits. Let us give a 
crude analogy for this from coding theory, where one is given the codeword p with 
erasures in some locations. Notice that our algorithm is able to correct the erasures 
with the help of the redundancy given by N. Now a challenging question is whether 
there exist similar algorithms for error- correction of codewords p. I.e. , one is given p 
with a certain percentage of the bits flipped. Having an algorithm for this problem 
would be highly interesting in situations with error-prone side-channels. 

We would like to thank the anonymous reviewers and especially Robert Israel 
for helpful comments and ideas. 

References 

[Ajt98] Ajtai, M.: The Shortest Vector Problem in L 2 is NP-hard for Randomized 
Reductions (Extended Abstract). In: STOC, pp. 10-19 (1998) 

[BD00] Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than 
A 0 ' 292 . IEEE Transactions on Information Theory 46(4), 1339 (2000) 
[BM06] Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT- 
Exponents. In: Public Key Cryptography, pp. 1-13 (2006) 

[CJL + 92] Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., 
Stern, J.: Improved Low-Density Subset Sum Algorithms. Computational 
Complexity 2, 111-128 (1992) 


Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits 419 


[CM07] Coron, J.-S., May, A.: Deterministic Polynomial-Time Equivalence of Com- 
puting the RSA Secret Key and Factoring. J. Cryptology 20(1), 39-50 
(2007) 

[Cop96a] Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; 

Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 
1996. LNCS, vol. 1070, pp. 178-189. Springer, Heidelberg (1996) 

[Cop96b] Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. 

In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155-165. 
Springer, Heidelberg (1996) 

[Cop97] Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Ex- 
ponent RSA Vulnerabilities. J. Cryptology 10(4), 233-260 (1997) 

[Cor07] Coron, J.-S.: Finding Small Roots of Bivariate Integer Polynomial Equa- 
tions: A Direct Approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, 
vol. 4622, pp. 379-394. Springer, Heidelberg (2007) 

[GM97] Girault, M., Misarsky, J.-F.: Selective Forgery of RSA Signatures Using 
Redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 
495-507. Springer, Heidelberg (1997) 

[GTV88] Girault, M., Toffin, P., Vallee, B.: Computation of approximate L-th 
roots modulo n and application to cryptography. In: Goldwasser, S. (ed.) 
CRYPTO 1988. LNCS, vol. 403, pp. 100-117. Springer, Heidelberg (1990) 
[Has88] Hastad, J.: Solving Simultaneous Modular Equations of Low Degree. SIAM 
Journal on Computing 17(2), 336-341 (1988) 

[HG97] Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equa- 
tions Revisited. In: Proceedings of the 6th IMA International Conference 
on Cryptography and Coding, pp. 131-142 (1997) 

[HG01] Howgrave-Graham, N.: Approximate Integer Common Divisors. In: 

Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51-66. Springer, 
Heidelberg (2001) 

[LLL82] Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring Polynomials with Ra- 
tional Coefficients. Mathematische Annalen 261(4), 515-534 (1982) 
[Mau95] Maurer, U.M.: On the Oracle Complexity of Factoring Integers. Computa- 
tional Complexity 5(3/4), 237-247 (1995) 

[May03] May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. PhD 
thesis, University of Paderborn (2003) 

[May04] May, A.: Computing the RSA Secret Key Is Deterministic Polynomial Time 
Equivalent to Factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, 
vol. 3152, pp. 213-219. Springer, Heidelberg (2004) 

[MinlO] Minkowski, H.: Geometrie der Zahlen. Teubner (1910) 

[Ngu04] Nguyen, P.Q.: Can We Trust Cryptographic Software? Cryptographic Flaws 
in GNU Privacy Guard vl.2.3. In: Cachin, C., Camenisch, J.L. (eds.) 
EUROCRYPT 2004. LNCS, vol. 3027, pp. 555-570. Springer, Heidelberg 
(2004) 

[NS01] Nguyen, P.Q., Stern, J.: The Two Faces of Lattices in Cryptology. In: Sil- 
verman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146-180. Springer, 
Heidelberg (2001) 

[NS05] Nguyen, P.Q., Stehle, D.: Floating-Point LLL Revisited. In: Cramer, R. 

(ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215-233. Springer, Heidel- 
berg (2005) 

[RS85] Rivest, R.L., Shamir, A.: Efficient Factoring Based on Partial Informa- 
tion. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31-34. 
Springer, Heidelberg (1986) 



420 M. Herrmann and A. May 


A Linear Equations with Known Modulus 

We briefly sketch the folklore method for finding small roots of linear modular 
equations a\X\ + • • • + a n x n = 0 mod N with known modulus N. Further, we 
assume that gcd(ctj,lV) = 1 for some i, wlog gcd(a„,lV) = X. Let X t be upper 
bounds on |j/,|. We can handle inhomogeneous modular equations by introducing 
a term a n+ \x n+ i, where \y n +i\ < X n+ \ = 1. 

We would like to point out that the heuristic for the folklore method is quite 
different compared to the one taken in our approach. First of all, the method 
requires to solve a shortest vector problem in a certain lattice. This problem is 
known to be NP-hard for general lattices. Second, one assumes that there is only 
one linear independent vector that fulfills the Minkowski bound (Theorem Q) for 
the shortest vector. 

We will show under this heuristic assumption that the shortest vector yields 
the unique solution (yi , . . . , y n ) whenever 


n x t < n - 


We multiply our linear equation with — a n 1 and obtain 

bixi + b 2 X 2 + . . . + b n - \x n -\ = x n mod N , where = 


(17) 


For a solution (y \ , . . 


) of (1T7|) we know Y^i=\ = Vn~ yN for some t/gZ. 


Consider the lattice L generated by the row vectors of the following matrix 


(Y\ 0 0 . 

0 y 2 0 


B = 


Y n b ! \ 
Y n b 2 


0 


\0 0 0 

with Yi = By construction, 

« = (yi,...,y n ~i,y)-B= (Yiy i 


Y n b n - 
Y n N ) 


■ i Y„y n ) 


is a vector of L. We show, that this is a short vector which fulfills the Minkowski 
bound from Theorem [I] If we assume that v is actually the shortest vector, then 
we can solve an SVP instance. 

Since Yiyi = < N we have | v \ \ < y/nN. Further, the determinant of the 

lattice L is 

det(L) = Nf[Y i = N f[ J 
The vector v thus fulfills the Minkowski bound, if 


< '/Vi det (L ) » <=> YI X t < N. 
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B Lower Bound in Theorem 2 


Starting with 

X x X 2 < 2 -^^ dr N 3 ^t 0 ~ 

we wish to derive a lower bound of the right-hand side. First we notice that 
for sufficiently large N the powers of 2 and d are negligible. Thus, we only 
examine the exponent of N. We use the values d = 5 (to 2 + 3to + 2 ) and sn = 
£™ 0 (m + 1 — i)(rm — i) and get 

r (3f? - 3r + r J ) + ^ - T> - 2 (T - 3 Jl ± . 

For r we choose 1 — yj{\ - /3), resulting in 
- 2 + 2y/l-p + 3 p- 2(3y/l - 13 

3VT=/3 6VT^ 7 10 dVW 7 ? 6(— 1 + 2/3) 3(-l + 3/3) 

1 + rn + 2 + to + 1 T to 2 + to 2 + to 1 + to 

Now we combine the terms that change their sign in the possible /3-range, such 
that we obtain a term which is either positive or negative for all (3 £ (0,1) 


3 3(— 1 + 3/3) 7/3VT£5 

1 + to 1 + to 1+to 

e (— 1 + 2 / 3 ) 

2+to 2+to 


3 - 3s/T=V -9/3 + 7pyr^p 

1 + TO 


6(-l + yT£g + 2/3) 


> 0 for all /3 £ (0, 1). 


Finally, we approximate the positive terms by ^ and the negative ones by 
and obtain 


> jv --2+2+ITg+3/3-2/3+T^- . 


(18) 


C Lower Bound in Theorem 3 


We derive a lower bound of 

2- (d ~T +1) d ~ (n+1) £T +1) N (PmT(d-n+l)-dmT + (2 + -i) ~ C$1?#)) =& . 

For sufficiently large N, the powers of 2 and d are negligible and thus we consider 
in the following only the exponent of N 


( /3mr(d — n + 1) — dmr + I 


/ m(l - r) + n\ \ n+ 1 

\^m(l — r) — 1 J J md 

_ n£o( m ( i — t) + fc) 
n\md 


+n)l . 


With d = ( ro + n ) 

/3r(n + 1) - r(n + 1) + 1 - 


we have 

/3r(n — 1 )(n + 1)! _ rifc=o( m (l - r) + k) 


IILi {m + k) 


m=o(m + k) 
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We now analyze the last two terms separately. For the first one, if we choose 
r = 1 — '{/(l — 8) we obtain 

/3r(n — l)(n + 1)! /3(1 - yT^)(w - l)(w+ 1)! /3(1 - f/T^)n 2 

m=M + k) - (m+l)U n k=2 k - m 


n(l - y/l- (3) < - ln(l - (3) 
Using this approximation, we obtain 


(19) 


(3r(n — !)(n + !)! 

nLi (m + k) 


< — ln(l — ( 3 )@—. 


The analysis of the second term ^ a bit more involved. We use 
its partial fraction expansion to show an upper bound. 

Lemma 2. For r = 1 — (1 — /?)« we have 

i. ( 20) 

Proof. First notice that 

n^oMl - r) + fc) +1 n:= 0 (m(l-r) + k)-(l-rr + 1 Yi: = o(m + k) 

m=o (m+fc) 1 rj + nLo(^+fc) 

We analyze the second part of this sum. Its partial fraction expansion is 


nLoM 1 ~ t )+ k ) - (f - T) n+l nLo( m + fc ) = £o ci 
nLo^ + fe) m m + l 


(21) 


Our goal is to determine the values c*. Start by multiplying with rifc=o( m + &) : 
n (m(l — r) + /c) — (1 — r)" +1 f[ (m + f|f= £ c 4 f[ (m + fc). 


Now we successively set m equal to the roots of the denominator and solve for 
c,;. For the i-th root m = —i we obtain 

f[(-i(l- T ) + k )=C i f[(k-i) 

k^i 

nLo (-t(l-r) + *) 

n*;o ( fc -0 ' 

We can rewrite this in terms of the Gamma function as 
r(-i(l-T)+n + l) 


Ci = (-1) ! 


r(i + 1 )/> - i + i)r(-*(i - t)) ' 
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Using the identity r(—z ) = ~ s i n ( 7rz yr( z +i) > we obtain 

r = , +1 r(-i( 1 - r) + n + l)r(t(l - r) + 1) BmQr»(l - r)) 

1 ' r(i + l)r(n-i + l) 7T 

In the following we use Q := • 

We now give an upper bound on the absolute value of c t . Start by using the 
value r = 1 — t/1 — P and let 1-/3 = e~ c for some c > 0. Consider 

ln r( r(i + t) 1) = ln ( r ( ie '" + X )) - ln ( r (* + !)) = - £ *’ " m + i - t)dt and 


ln r ( r ™:+™+ll =ln(r(-ie-"+n+l))-]n(r(n-i+l))=£ ^ ®(n-i+l+t)dt. 

Therefore 

InQ = J \P(n - i + 1 +t) - &(1 +i - t)dt. 

The Digamma function if' is increasing and thus the integrand is increasing and 
we get the approximation 

hi <2 <(i- ie-n)(V( n + 1 - *e"#) - ff(i + 

Let i = tn. Then for fixed t the expression on the right-hand side converges for 
n — > oo to 


Hm (i - ie~n )(<f(n + 1 - l«ctf - <f(l + *rt|} = cfln(~ - 1). 

By numeric computation, the maximum of tln(i — 1) in the range 0 < t < 1 is 
0.278465. Thus, 


InQ < 0.278465c 
Q < (I-/?) -0 ' 278465 - 
Putting things together, we have 

a < (-1) <+1 (1 - ^-0-278465 sinMl-r)) < 1 (1 _ ^-0.278465 

The initial problem of estimating the partial fraction expansion from equa- 
tion GH now states 

n£ =0 ( m (l - T ) + k ) - (f - r) T1+1 rife= 0 ( m + fc ) _ Co Cl Cn 

n«(m + fc) 771 771+1 771 + 77 

<^± 

n i( 1 _ / 3)-S-278465 
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Now that we have bounds on the individual terms, we can give a bound on 
the complete expression 

!:?#))*£ 

> jy/3r(n+l)— r(n+l)+l— (1— r ) n+1 — — |-ln(l— 
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Abstract. After the improvement by Courtois and Meier of the alge- 
braic attacks on stream ciphers and the introduction of the related notion 
of algebraic immunity, several constructions of infinite classes of Boolean 
functions with optimum algebraic immunity have been proposed. All of 
them gave functions whose algebraic degrees are high enough for resisting 
the Berlekamp-Massey attack and the recent Rpnjom-Helleseth attack, 
but whose nonlinearities either achieve the worst possible value (given by 
Lobanov’s bound) or are slightly superior to it. Hence, these functions 
do not allow resistance to fast correlation attacks. Moreover, they do 
not behave well with respect to fast algebraic attacks. In this paper, we 
study an infinite class of functions which achieve an optimum algebraic 
immunity. We prove that they have an optimum algebraic degree and a 
much better nonlinearity than all the previously obtained infinite classes 
of functions. We check that, at least for small values of the number of 
variables, the functions of this class have in fact a very good nonlinearity 
and also a good behavior against fast algebraic attacks. 

Keywords: Algebraic attack, Boolean function, Stream cipher. 


1 Introduction 

Before this century, the Boolean functions used in the combiner and filter models 
of stream ciphers (see description e.g. in j0|) had mainly to be balanced, to have 
a high algebraic degree, a high nonlinearity and, in the case of the combiner 
model, a high correlation immunity (in the case of the filter model, a correlation 
immunity of order 1 is commonly considered as sufficient; in most cases, it is 
easily achieved without losing the other properties, by replacing the function by 
a linearly equivalent one). These properties could be satisfied by functions of 
about 10 variables. But the algebraic attacks introduced by Courtois and Meier 
(or more properly speaking improved by them, since the idea of algebraic 
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attacks comes already from Shannon), which have allowed cryptanalysing several 
stream ciphers [111 211 dll 5125j have led to more constraints on the functions, and 
obliged to increase the number of variables up to at least 13 variables and in 
practice much more (maybe 20). The property needed for resisting the standard 
algebraic attack of Courtois and Meier [T2| is a high algebraic immunity (231 : f° r 
a given Boolean function f on n variables, any nonzero Boolean function g such 
that f * g = 0 or (1 + f) * g = 0 should have high algebraic degree, where * is the 
multiplication of functions inherited from multiplication in F2, the finite field 
with two elements. The best possible algebraic immunity of n - variable functions 
is [f ] O- It has been proved in [131 that) f° r all a < 1, when n tends to infinity, 
AI(f) is almost surely greater than ^ — \J 7) In (y^) ■ Hence, random functions 
behave well with respect to the algebraic immunity (but this does not mean that 
functions with good algebraic immunity are easy to construct). 

Having a high algebraic immunity is not sufficient for resisting the fast alge- 
braic attacks introduced by Courtois in H3|: if one can find g of low degree and 
h 7^ 0 of reasonable degree such that f*g= h, then a fast algebraic attack (FAA) 
is feasible. No result is known on the behavior of random functions against FAA. 

Even a high resistance to fast algebraic attacks is not sufficient, since alge- 
braic attacks on the augmented function m can be efficient when fast algebraic 
attacks are not. The resistance to these attacks is not properly speaking a prop- 
erty of the function used in a cipher and studying the resistance of the cipher to 
them obliges to consider all possible update functions (of the linear part of the 
pseudo-random generator). 

It is a difficult challenge to find functions achieving all of the necessary crite- 
ria and the research of such functions has taken a significant delay with respect 
to cryptanalyses. The research of Boolean functions that can resist algebraic 
attacks, the Berlekamp-Massey attack and the fast correlation attacks has not 
given fully satisfactory results: we know that functions achieving optimal or 
suboptimal algebraic immunity and in the same time balancedness, high alge- 
braic degree and high nonlinearity must exist thanks to the results of USEZI. 
Such functions have been found with sufficient numbers of variables thanks to 
Algorithm 1 of (2j (others can be found by using the algorithm of j2Dj). But 
the functions given in (2| belong to classes which have not, potentially, a good 
asymptotic algebraic immunity (see |33|), and there remains to see whether these 
functions behave well against fast algebraic attacks. No infinite class of functions 
with good algebraic immunity and good nonlinearity has been exhibited so far. 

There are, up to now, two main infinite classes of Boolean functions achieving 
optimum algebraic immunity. The first one contains functions in even numbers n 
of variables and is obtained by an iterative construction. The constructed func- 
tions have been further studied in m , where it is shown that their algebraic 
degrees are close to n but their nonlinearity is 2" _1 — ("n 1 ), which is insuf- 
ficient. Moreover, they are not balanced (but it is possible to build balanced 
functions from these ones) and are weak against fast algebraic attacks [211 8j . 
The second class contains symmetric functions (whose values depend only on the 
Hamming weight of the input vectors) [3I18[ or functions whose values depend 
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on the Hamming weight of the input vectors except for a few inputs 0 . The non- 
linearities of these functions are often not exceeding 2 n_1 — j) and when they 
do, they are not much greater than this number, see HU. They are still weaker 
against fast algebraic attacks 0. The functions constructed in |28l2bj seem to 
have worse nonlinearity than those of 0 • Apart from these infinite classes, some 
power functions with sub-optimal algebraic immunity, in at most 20 variables, 
have been exhibited in 0 Table 1] . The behavior of these functions against fast 
algebraic attacks has not been investigated so far. 

In the present paper, we show that an infinite class of balanced functions 
with optimal algebraic immunity, which has been considered in for showing 
the tightness of bounds on the algebraic immunity of vectorial functions, has 
potentially a good nonlinearity. We give a very simple proof of the optimal 
algebraic immunity of these functions. We show that they have also optimal 
algebraic degree and we prove a lower bound on their nonlinearities which is 
much larger than the best nonlinearities of the infinite classes of functions with 
optimal algebraic immunity found so far. However, this bound is not enough for 
saying these functions have good nonlinearities. We compute for small values 
of n the exact values of the nonlinearity, which are very good and much bigger 
than the lower bound, and we also check for these values of n that the functions 
behave well against fast algebraic attacks. This is the first time a function (and 
moreover a whole infinite class of functions) seems able to satisfy all of the main 
criteria for being used as a filtering function in a stream cipher. 

The rest of the paper is organized as follows. In Section 0 we recall the 
necessary background. In Section 0 we give a simple proof that the functions 
of the class have optimal algebraic immunity. In Section 0 we calculate the 
univariate representation of the functions and deduce their algebraic degree. We 
prove a lower bound on their nonlinearity. We give also the exact values of the 
nonlinearity for small values of n. In Section 0 we give the results of computer 
investigations suggesting a good immunity of the functions against fast algebraic 
attacks. 

2 Preliminaries 

Let F£ be the n-dimensional vector space over F 2 , and B n the set of n - variable 
(Boolean) functions from F£ to F 2 . The basic representation of a Boolean func- 
tion f(x 1 , • • • , x n ) is by the output column of its truth table, i.e., a binary string 
of length 2 n , 

[/ (0, 0, • • • , 0), /(l, 0, • • • , 0), /(o, 1, • • • , 0), /(l, 1, • • • ,0), • • • , /(1, 1, ■ • • , 1 ) 1 . 

The Hamming weight wt(/) of a Boolean function / e B n is the weight of 
this string, that is, the size of the support Supp(/) = \x £ F£ f(x) = 1} of the 
function. The Hamming distance du(f. g) between two Boolean functions / and 
g is the Hamming weight of their difference / + g (by abuse of notation, we use 
+ to denote the addition on F 2 , i.e., the XOR). We say that a Boolean function 
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/ is balanced if its truth table contains an equal number of l’s and 0’s, that is, 
if its Hamming weight equals 2" _1 . 

Any Boolean function has a unique representation as a multivariate polyno- 
mial over F 2 , called the algebraic normal form (ANF), of the special form: 

/( xi,---,x n )= ai Yl x i 

/C{1, 2, -,n} iel 

The algebraic degree , deg(/), is the global degree of this polynomial, that is, 
the number of variables in the highest order term with non zero coefficient. A 
Boolean function is affine if it has degree at most 1. The set of all affine functions 
is denoted by A n . 

We shall need another representation of Boolean functions, by univariate poly- 
nomials over the field F 2 « . We identify the field F 2 - and the vector space F£: this 
field being an n-dimensional F 2 -vector space, we can choose a basis (/A , ■ ■ • , l3 n ) 
and identify every element x = Y^i= 1 Xi fli e ^ 2 ” with the n-tuple of its coor- 
dinates (jq, • • • ,x n ) £ Fg. Every function / : F 2 n — *■ F 2 n (and in particular 
every Boolean function / : F 2 » — > F 2 ) can then be uniquely represented as a 
polynomial 0 a 3 x ' where a 3 £ F 2 «. Indeed, the mapping which maps every 
such polynomial to the corresponding function from F 2 n to itself is F 2 « -linear, 
injective (since a non-zero polynomial of degree at most 2 n — 1 over a field cannot 
have more than 2” — 1 zeroes in this field) and therefore surjective since the F 2 >»- 
vector spaces of these polynomials and of the functions from F 2 « to itself have 
the same dimension 2". The function is Boolean if and only if the functions f(x) 
and (/( x)) 2 are represented by the same polynomial, that is, if cio , 0 . 2 *. _ -1 £ F 2 
and, for every i = 1, • • • , 2 n — 2, we have a 2j - = (a,) 2 , where 2 j is taken mod 
2 n — 1. Then the algebraic degree of the function equals the maximum 2-weight 
W 2 (j) of j such that aj A 0, where the 2- weight of j equals the number of l’s 
in its binary expansion. We briefly recall why, since the algebraic degree is an 
important parameter and we will need this when studying the functions. Writing 
j = YT s Zo js^ s , we have the equalities: 

/(*) = 


2 n — 1 / n \£»= o3' 2 ' 

r<*n(±«*T> 

j= 0 5=0 \*= 1 / 


expanding these products, simplifying and decomposing again over the basis 
(/3i, . . - , 0 n ) gives the ANF of F: this proves that the algebraic degree is upper 
bounded by the number max{«; 2 (j); aj A 0}, and it cannot be strictly smaller, 
because the number of those functions from F 2 « to itself of algebraic degrees at 
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most d equals the number of those univariate polynomials 1 a : jX :l , aj G 
F 2 «, such that max 102 (j) < d. 

1/ Oi #0 

In this representation, the elements of A„ are all the hmctions tr(ax), a € F 2 », 
where tr is the trace frmction: tr(x) = x + x 2 + x 2 + ■ ■ • + x 1 " . 

Any Boolean frmction should have high algebraic degree to allow the cryp- 
tosystem resisting the Berlekamp-Massey attack m 

Boolean functions used in cryptographic systems must have high nonlinearity 
to withstand fast correlation attacks (see e.g. |dl.i lj ) . The nonlinearity of an n- 
variable function / is its distance to the set of all n- variable affine functions, i.e., 

nl(f) = min (d H (/, <?))• 

geA n 

This parameter can be expressed by means of the Walsh transform. Let x = 
(a; i , • • • , x n ) and A = (Ai , • • • , A„) both belong to F 2 and A • x be the usual inner 

product in F 2 : A • x = \%Xi H 1- X n x n G F 2 , or any other inner product in F 2 . 

Let /( x) be a Boolean function in n variables. The Walsh transform (depending 
on the choice of the inner product) of f(x ) is the integer valued function over 
F 2 defined as 

W f ( A) = Y, (-1) /(X)+A '*. 

If we identify the vector space F 2 with the field F 2 «., then we can take for inner 
product: A ■ x = tr{ Xx). 

A Boolean function / is balanced if and only if W/(0) = 0. The nonlinearity 
of / can also be given by 

nl{f) = 2" -1 - i max |W)(A)|. 

For every n- variable function / we have ril(f) < 2 n_1 — 2"/ 2-1 . 

Algebraic attacks have been introduced recently (see |E!). They recover the 
secret key, or at least the initialization of the cipher, by solving a system of 
multivariate algebraic equations. The idea that the key bits can be characterized 
as the solutions of such a system comes from C. Shannon m- In practice, for 
cryptosystems which are robust against the usual attacks, this system is too 
complex to be solved (its equations being highly nonlinear). In the case of stream 
ciphers, we can get a very overdefined system (i.e. a system with a number of 
linearly independent equations much greater than the number of unknowns). 
In the combiner or the filter model, with a linear part of size N and with an 
n-variable Boolean function / as combining or filtering function, there exists 
a linear permutation L : F^ i— > F^' and a linear mapping L' : F^ i— » F 2 such 
that, denoting by u\, • • • , un the initialisation and by (si)i>o the pseudo-random 
sequence output by the generator, we have, for every i > 0: 

Si = f(L' o L l (ui,- ■ ■ ,u N )). 

The number of equations can then be much larger than the number of unknowns. 
This makes less complex the resolution of the system by using Groebner basis, 
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and even allows linearizing the system (i.e. obtaining a system of linear equations 
by replacing every monomial of degree greater than 1 by a new unknown); the 
resulting linear system has however too many unkwnowns and cannot be solved. 
Courtois and Meier have had a simple but very efficient idea. Assume that there 
exist functions g 0 and h of low degrees (say, of degrees at most d) such that 
f * g = h. We have then, for every i > 0: 

Si g(L' o L l (u\, ■ ■ ■ , un)) = h(L' o L l (u\, ■ ■ ■ , un ))■ 


This equation in u%, ■ ■ ■ ,un has degree at most d, since L and L' are linear, 
and the system of equations obtained after linearization can then be solved by 
Gaussian elimination. Low degree relations have been shown to exist for several 
well known constructions of stream ciphers, which were immune to all previously 
known attacks. 

It has been shown |15l33j that the existence of such relations is equivalent to 
that of non-zero functions g of low degrees such that f*g = 0 or (/ + 1) * g = 0. 
This led to the following definition. 


Definition 1. For f G B n , we define AN(f) = {g G B n \ f * g = 0}. Any 
function g G AN(f) is called an annihilator of f. The algebraic immunity (AI) 
of f is the minimum degree of all the nonzero annihilators of f and of all those 
of f + 1. We denote it by AI(f). 


Note that AI(f) < deg (/), since f * (1 + /) = 0. Note also that the algebraic 
immunity, as well as the nonlinearity and the degree, is affine invariant (i.e. is 
invariant under composition by an affine automorphism). As shown in [ 03 , we 
have AI(f) < ff]. 

The complexity of the standard algebraic attack on the combiner model or 
the filter model using a nonlinear function / equals roughly 0(D 3 ) in time and 
0(D) in data, where D = YlflxP (a) > where N is the size of the linear part of 
the pseudo-random generator. 

If a function has optimal algebraic immunity [" with n odd, then it is bal- 
anced (see e.g. fTTTj ). Whatever is n, a high value of AI( f ) automatically implies 
that the nonlinearity is not very low: M. Lobanov has obtained in j3H the fol- 
lowing tight lower bound: 


Ai{f)-‘ 

nl(f) > 2 £ 




However, this bound does not assure that the nonlinearity is high enough: 

• For n even and AI(f) = ^ , it gives nl(f) > 2 n_1 — 2 („/ 2 -i) = ^" _1 — C/ 2 ) 
which is much smaller than the best possible nonlinearity 2" -1 — 2"/ 2-1 and, 
more problematically, much smaller than the asymptotic almost sure nonlinearity 
of Boolean functions, which is, when n tends to 00 , located in the neighbourhood 
of 2 n_1 — 2"/ 2-1 \/2nhi2 (see [T7l j: the nonlinearity reached by the known func- 
tions with optimal AI is equal to (or is close to) that of the majority function 
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which maps an input vector x £ F 2 to 1 if its weight is not smaller (resp. is strictly 
greater) than n/2 and 0 otherwise (the two versions are affinely equivalent) and 
of the iterative construction recalled in [IQ. : 2" _1 — ("(/I) = 2 n_1 — §( n ” 2 ); ^ 
is a little better than what gives Lobanov’s bound but it is insufficient. Some 
functions exhibited in {1112812 have better nonlinearities but the increasement 
is not quite significant. 

• For n odd and AI(f) = Lobanov’s bound gives nl(f) > 2 n_1 — ((„"/n/ 2 ) — 
2 n ~ 1 — \ )/ 2 ) which is a little better than in the n even case, but still far from 

the average nonlinearity of Boolean functions; the nonlinearity of the majority 
function matches this bound; here again, some functions exhibited in jlll28l2qj 
have better nonlinearities but the increasement is not sufficient. 

A high algebraic immunity is a necessary but not sufficient condition for ro- 
bustness against all kinds of algebraic attacks. Indeed, if one can find g of low 
degree and h ^ 0 of reasonable degree such that f * g = h, then a fast algebraic 
attack is feasible, see |1 311 124j (note however that fast algebraic attacks need 
more data than standard ones). This has been exploited in [T3| to present an 
attack on SFINKS |3j and we can say that with this attack, which comes in 
addition to the standard algebraic attack, Courtois has made very difficult the 
work of the designer. Since f * g = h implies f * h = f * f * g = f * g = h, 
we see that h is then an annihilator of / + 1 and if h 0, then its degree is at 
least equal to the algebraic immunity of /. So summarizing, we shall say that 
the function behaves well with respect to fast algebraic attacks if there exists k 
(which can be small with respect to n, but not too small) such that, for every 
nonzero function g of algebraic degree at most k, the function h = f * g has 
algebraic degree significantly greater than [^]. It has been shown in JEJ that 
when e + d > n, there must exist g of degree at most e and h of degree at most 
d, such that f * g = h. Hence, an n-variable function / can be considered as 
optimal with respect to fast algebraic attacks if there do not exist two functions 
g ^ 0 and h such that / * g = h and deg((?) + deg(/i) < n with deg(<?) < n/2. 
The question of the existence of such functions was completely open until the 
present paper. 

The pseudo-random generator must also resist algebraic attacks on the 
augmented function E3j, that is, on the vectorial function F(x) whose coordi- 
nate functions are f(x),f(L(x)),--- , /(T m_1 (a;)), where L is the (linear) up- 
date function of the linear part of the generator. Algebraic attacks can be 
more efficient when applied to the augmented function rather than to the func- 
tion / itself. The efficiency of the attack depends not only on the function 
/, but also on the update function (and naturally also on the choice of to), 
since for two different update functions L and L', the vectorial functions F(x) 
and F'(x) = (f(x),f(L'(x)),...,f(L' m ~ 1 (x)) are not linearly equivalent (nei- 
ther equivalent in the more general sense called CCZ-equivalence, that is, affine 
equivalence of the graphs of the functions). Testing the behavior of a function 
with respect to this attack is therefore a long term work (all possible update 
functions have to be investigated). 
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A new version of algebraic attack has been found recently by S. Rqnjorn and 
T. Helleseth PE| and is very efficient. Its time complexity is roughly 0(T>), where 
D = ) (^) , where N is the size of the linear part of the pseudo-random 

generator. But it needs much more data than standard algebraic attacks: 0(V) 
also! When / has degree close to n and algebraic immunity close to § , this is 
the square of what is needed by standard algebraic attacks. However, this attack 
obliges the designer to choose a function with very high degree. 

The functions used in the combiner model must be additionally highly resilient 
(that is, balanced and correlation immune of a high order; see definition e.g. in 
P|) to withstand correlation attacks. It seems quite difficult to achieve all of 
the necessary criteria including this one, and for this reason, the filter generator 
seems more appropriate. 

3 The Infinite Class and Its Algebraic Immunity 

We shall show that, for every n, the Boolean function on F 2 « whose support 
equals {0}U{cd; i = 0, • • • , 2 n_1 — 2}, where a is a primitive element of F 2 »», has 
optimal algebraic immunity. This function (or more precisely its complement) 
makes thinking of the majority function but we shall see that it is in fact quite 
different since it has much better nonlinearity and it behaves much better with 
respect to fast algebraic attacks too. 

Theorem 1. Let n be any integer such that n> 2 and a a primitive element of 
the field F 2 n . 

Let f be the Boolean function on ¥ 2 n whose support is {0, 1, a, ■ ■ ■ ,a 2 ~ 2 }. 

Then f has optimal algebraic immunity \n/ 2] . 

Proof 

Let g be any Boolean function of algebraic degree at most \n/2\ — 1. Let g(x) = 
E*=o ( Ji x> be univariate representation in the field F 2 n, where gi £ Fa» is 
null if the 2- weight w 2 (i) of i is at least [~n/2~| (which implies in particular that 

02"-l = 0). 

If g is an annihilator of /, then we have g(a l ) = 0 for every i = 0, • • • , 2 n_1 — 2, 
that is, the vector (go, - ■■ , g 2 ^~ 2 ) belongs to the Reed-Solomon code over F 2 n of 
zeroes 1, a, ■ ■ ■ , a 2 " ~ 2 (the Reed-Solomon code of zeroes of,- - ■ , a f+r equals 
by definition the set of vectors (go, ■ ■ ■ , g^~ 2 ) of F^n -1 such that these elements 
are zeroes of the polynomial Eto 9iX\ see P2; there exists an equivalent 
definition where Reed-Solomon codes are given by evaluating polynomials at 
points but we shall not need it). 

According to the BCH bound, if g is non-zero, then the vector (go,- - ■ , ga^—'i) 
has Hamming weight at least 2 n_1 . The general proof of this lower bound can 
be found in as well. For self-completeness, we briefly recall how it can be 
simply proved in our framework. By definition, we have: 
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which implies (since for every 0 < i, j < 2" — 2, the sum Y^k= a* a ^' 3)k equals 1 
if i = j and 0 otherwise) : 



Suppose that at least 2 n_1 of the g^s are null. Then, g(a 2n 1_1 ), • • • , g(a 2n ~ 2 ) 
satisfy a homogeneous system of linear equations whose matrix is a 2 n_1 x 2 n_1 
Vandermonde matrix and whose determinant is therefore non-null. This implies 
that g(a 2n _1 ), • • • , <?(o; 2 " _2 ) and therefore g must then be null, a contradiction. 
Hence the vector (g 0 , • • • , 52 ^- 2 ) has weight at least 2 n ~ 1 . 

Moreover, suppose that this vector has Hamming weight 2" _1 exactly. Then 
g(x) = an d n i s °dd (so that g( x) can have 2” _1 terms); but this 

contradicts the fact that g(0) = 0. We deduce that the vector (g 0 , ■ ■ ■ , g-^ -’i) has 
Hamming weight strictly greater than 2 n_1 , leading to a contradiction with the 
fact that g has algebraic degree at most [n/2] — 1, since the number of integers 
of 2- weight at most [n/2] — 1 is not strictly greater than 2" -1 . 

Let g be now a non-zero annihilator of / + 1. The vector ( go , ••• , f/ 2 n - 2 ) 
belongs then to the Reed-Solomon code over F 2 « of zeroes a 2 " _1 , • • • , a 2 " -2 . 
According to the BCH bound (which can be proven similarly as above), this 
vector has then Hamming weight strictly greater than 2” -1 . We arrive to the 
same contradiction. Hence, there does not exist a non-zero annihilator of / or 
/ + 1 of algebraic degree at most \n/ 2] — 1 and / has then (optimal) algebraic 
immunity \n/ 2]. □ 

Remark 

1. We have proved in fact that / admits no non-zero annihilator whose univariate 
representation has at most 2" -1 non-zero coefficients. 
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2. The same proof shows that, for every even n, denoting D = (?) = 

2" _1 — (”^ 2 )’ ^ the support of / contains {0, a 1 , a* +1 , ■ • • a l+D ~ 2 } and if the 
support of / + 1 contains {a- 5 , a l+1 , • • • a^ 0-1 } for suitable parameters i,j , 
then the function / also has optimal AI. Moreover, for every n and every 
positive integer D, if Supp(/) 2 {0, a 1 , a l+1 , • • ■ a l+D ~ 2 } and Supp(/ + 1) 2 
{a j , a l+1 , • • • a J+D-1 } for suitable parameters i,j, then the function / has AI 
at least k such that D > (?) • Hence, we can build functions with sub- 

optimal algebraic immunity. Sub-optimality is sometimes better than optimality 
in cryptography, when it allows avoiding a too strong structure of the function. 
Here, this allows constructing a balanced function of algebraic immunity [f ] — 1 
(for instance) and whose support is not made exclusively of consecutive powers 
of a primitive element. 

3. Note that the function of Theorem 0 is not a priori linearly equivalent to the 

Boolean function whose support equals the set of the binary expansions of the in- 
tegers in the range [0; 2” _1 — 1]. Indeed, for general i = j = 5??=o 

there is no bilinear relationship between tr(a l+ i) and iojo H \-i n -ij n -i- This 

means that the inner products in both frameworks are not linearly linked. 


4 Algebraic Degree and Nonlinearity of the Function 


We shall see now that the algebraic degree of the function of Theorem 0 is 
cryptographically quite satisfactory and that its nonlinearity is provably much 
better than for the previously known functions with optimal algebraic immunity. 
However, the lower bound we obtain gives a value which is not high enough for 
saying that the function has good nonlinearity. Nevertheless, for the values of 
n for which we could compute the exact value of the nonlinearity, it is quite 
satisfactory too. 

Theorem 2. The univariate representation of the function f of Theorem 0 
equals 

1 + 1C (1 + a i)i/2 x% (- 1 ) 

where u 1 / 2 = u 2 " . Hence, f has algebraic degree n—l( which is optimal for a 

balanced function). 

Proof Let f(x) = /j x 1 be the univariate representation of /. We have 

/o = /( 0) = 1, = 0 (since f has even Hamming weight and therefore 

algebraic degree at most n — 1) and for every i £ {!,••• ,2" — 2}: 


2 n - 2 2 n— 1 — 2 .(an-i.!) 

fi = V f(a?) a-tf = V a-* = ^ — = 


n+a-« 2n -vy /A ( i + o * 


V (l + Cd)V 2 - 


1 + a~ 2i 


1 + a~ 2i 
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This proves Relation (QJ. We can see that / 2 n _ 2 0 and therefore / has alge- 
braic degree n — 1. □ 

Remark. Computing the expression of Theorem|2|has high complexity. Actually, 
the complexity of computing f{x) is comparable to computing the discrete log 
since the latter can be obtained by computing n outputs to / (with a dichotomic 
method). 

Theorem 3. Let f be defined as in Theorem QJ then: 


nl(f) > 2 1 




Proof. 


V4(2" — 1 )J 


nl(f) — 2”" 

= 2 n " 




2” 1 — max Y (— l) tr ( Ax ) 

AeF* n ^ v ' 

xgsupp(f) 

(since (—1)^ = 2 (/ + 1) — 1 and E (— l)*' 31 = 0) 


s A = e (-i)*^) (AeF ^ 


Let £ = e 2 '*- 1 be a primitive (2” — l)-th root of 1 in the complex field C, x be 
the multiplicative character of F 2 n defined by x(a J ) = (0 < j < 2 n — 2) and 

%(0) = 0. We define the Gauss sum: 

G(xn= E (0 < /x < 2" — 2) 


It is well-known (see j3D|) that G(x°) = —1 and \G(x IJ )\ = 2? for 1 < /x < 2" — 2. 
By Fourier transformation we have 


(- 1 ) tr( “ 5) = 2n~T E 2 G(xnT(a j ) (0 < j < 2" - 2) 
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Let A = a 1 (0 < l < 2 n — 2) and q = 2 n . Then x^(A a*) = £ an d by (J3J, 

-| 9-2 9-2 


= ^r(Ew»-q^ ? 


Therefore, for A G F* 


1 ( q ~ 2 

I-SaI < y ElWI- 


- ***( 3-0 1 


^(xWs^f) 
-^t(^e(-^)“ + i) 


since sin(7r— u) = sin(u). By convexity of the function we have, for 0 < 6 < t 
and t + 6 < n: 

1 1 2 
sin(f — 6) sin(t + 9) ~ sin t 

Then we deduce 

r t+ % du e 

7 t _s sin u ~ sin t 

and taking 6 = 


§-i 

E 



q - 1 



du 

sin u 
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Set t(x ) = tan(a;/2). We have sina; = and therefore = Lfei. Hence 

a primitive of 1/ sina; equals ln(| tan(a;/2)|). This implies 


- max S\> 2" 1 — ( 2’ 


— ln(tan(a;/2)) 




2 n/2+l , % \ 

! + ln \4(2 n — 1) / 

^since tana; > x;Vx e |0; ^ [ 


□ 


Remarks 

1. The lower bound given by Theorem 0 shows that the nonlinearity of our 
function / is provably considerably better (at least asymptotically) than those 
of the previously found functions. Moreover, we checked for small values of n 
that the exact value of nl(f) is much better than what gives this lower bound 
and better than the nonlinearity of random functions and that it seems quite 
sufficient for resisting fast correlation attacks (for these small values of n, it 
behaves as 2 n ~ 1 — 2"/ 2 ). We give in Table El below, for n ranging from 6 to 11, 
the values of the nonlinearity of f compared with Lobanov’s lower bound (when 
applied with optimal algebraic immunity), with the best nonlinearities of those 
functions with optimal AI known before the present paper, with the lower bound 
of Theorem 0 and with the upper bound 2" _1 — 2"/ 2-1 . 

2. We have seen that the computation of the value of f(x) has high complexity. 
The power functions seen in (21 Table 1 ] may be better in practice for being used 
with a high number of variables, if their behavior against fast algebraic attacks 
can be proved good. Our construction might be useful with different designs, 
using less variables. It would be nice to find other infinite classes with the same 
qualities and which would be more easily computable. 


Table 1 . The values of the nonlinearity of / compared with Lobanov’s lower bound 
and with the upper bound 2 n ~ 1 — 2 n/ ' 2 ~ 1 


n 

6 

7 

8 

9 

10 

11 

Lobanov’s bound 

12 

44 

58 

186 

260 

772 

Best nl of fcts with optimal AI known before 

22 

48 

98 

196 

400 

798 

The bound of Theorem 0 

10 

28 

70 

163 

366 

798 

The values of the nl of fct f of Theorem 0 

24 

54 

112 

232 

478 

980 

The upper bound 2" -1 — 2 n/2 ~ 1 

28 

58 

120 

244 

496 

1001 
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5 Immunity against Fast Algebraic Attacks 

Computer investigations made using [21 Algorithm 2] suggest the following prop- 
erties of the class of functions of Theorem Q] 

— No nonzero function g of degree at most e and no function h of degree at 
most d exist such that f * g = h, when (e, d) = (l,n — 2) for n odd and 
(e, d) = (l,n — 3) for n even. This has been checked for n < 12 and we 
conjecture it for every n. 

- For e > 1, pairs ( g , h) of degrees (e, d) such that e + d < n — 1 were never 
observed. Precisely, the non-existence of such pairs could be checked exhaus- 
tively for n < 9 and e < n/ 2, for n = 10 and e < 3 and for n = 11 and e < 2. 
This suggests that this class of functions, even if not always optimal against 
fast algebraic attacks, has a very good behavior. 

The instance with n = 9 turns out to be optimal. To the best of our knowledge, 
this is the first time where a function with optimal immunity against FAA’s can 
be observed. 

6 Conclusion 

The functions of Theorem d seem to gather all the properties needed for allowing 
the stream ciphers using them as filtering functions to resist all the main attacks 
(the Berlekamp-Massey and Ronj om-Hellesetli attacks, fast correlation attacks, 
standard and fast algebraic attacks). They are the only functions of this kind 
found so far. 
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Abstract. MISTY1 is a Feistel block cipher that received a great deal 
of cryptographic attention. Its recursive structure, as well as the added 
FL layers, have been successful in thwarting various cryptanalytic tech- 
niques. The best known attacks on reduced variants of the cipher are 
on either a 4-round variant with the FL functions, or a 6-round variant 
without the FL functions (out of the 8 rounds of the cipher). 

In this paper we combine the generic impossible differential attack 
against 5-round Feistel ciphers with the dedicated Slicing attack to 
mount an attack on 5-round MISTY1 with all the FL functions with 
time complexity of 2 46 ' 45 simple operations. We then extend the attack 
to 6-round MISTY1 with the FL functions present, leading to the best 
known cryptanalytic result on the cipher. We also present an attack on 
7-round MISTY1 without the FL layers. 


1 Introduction 

MISTY1 P3 is a 64-bit block cipher with presence in many cryptographic stan- 
dards and applications. For example, MISTY1 was selected to be in the CRYP- 
TREC e-government recommended ciphers in 2002 and in the final NESSIE 
portfolio of block ciphers, as well as an ISO standard (in 2005). 

MISTY1 has a recursive Feistel structure, where the round function is in 
itself (very close to) a 3-round Feistel construction. To add to the security of the 
cipher, after every two rounds (and before the first round), an FL function is 
applied to each of the halves independently. The FL functions are key-dependent 
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Belgium and supported by the IAP Programme P6/26 BCRYPT of the Belgian State 
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linear functions which play the role of whitening layers (even in the middle of 
the encryption). 

MISTY1 has withstood extensive cryptanalytic efforts. The most successful 
attacks on it are an impossible differential attack on 4 rounds (when the FL 
layers are present) 0, an integral attack on 5 rounds (when all but the last FL 
layers are present) 0, and an impossible differential attack on 6 rounds (without 
FL layers) 0. 

In this paper we show that the generic impossible differential attack against 
5-round Feistel constructions EE! can be combined with the dedicated slicing 
attack 0 to yield an attack on 5-round MISTY1 with all the FL functions. The 
data complexity of the attack is 2 38 chosen plaintexts, and the time complexity 
is 2 46 - 45 simple operations. The main idea behind this attack is to actually attack 
the FL functions themselves as these functions are keyed linear transformations. 

After presenting the 5-round attack, we extend it by one more round, and 
show that by using key schedule considerations and a delicately tailored attack 
algorithm, it is possible to attack 6 rounds of MISTY1 with all the FL functions 
present. The 6-round attack requires 2 51 chosen plaintexts and has a running 
time of 2 123 ’ 4 encryptions. 

Finally, we present an impossible differential attack on 7-round MISTY1 when 
the FL layers are omitted. The attack uses 2 50/2 known plaintexts, and has a run- 
ning time of 2 1141 encryptions. We summarize our results along with previously 
known results on MISTY1 in Tabled 


Table 1. Summary of the Attacks on MISTY1 


Attack 

Rounds 

FL 

Complexity 



functions 

Data Time 

Impossible Differential 0 

4 

Most 

2 23 CP 2 90 ' 4 

Impossible Differential 0 

4 

Most 

2 ss cp 2 62 

Collision Search 0 

4 

Most 

2 20 CP 2 89 

Collision Search 0 

4 

Most 

2 28 CP 2 76 

Slicing Attack 0 

4+ 

All 

2 22 ' 25 CP 2 45 

Slicing Attack & Impossible Differential 0 

4 

All 

2 27 ' 2 CP 2 81 - 6 

Impossible Differential 0 

4 

All 

2 27 ’ 5 CP 2 116 

Integral 0 

5 

Most 

2 io. 5 cp 2 22.11 

Impossible Differential (Section 0 

5+ 

All 

2 38 CP 2 46 - 45 

Impossible Differential (Section 0 

6 

All 

2 51 CP 2 123 ' 4 

Higher-Order Differential 0 

5 

None 

2 io.s cp 2 i7 

Impossible Differential 0 

6 

None 

2 54 CP 2 61 

Impossible Differential 0 

6 

None 

2 39 CP 2 106 

Impossible Differential 0 

6 

None 

2 39 CP 2 85 

Impossible Differential (Section 0 

7 

None 

2 50 ' 2 KP 2 1141 


KP - Known plaintext, CP - Chosen plaintext. 
f - the attack retrieves 41.36 bits of information about the key. 
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This paper is organized as follows: In Section El we give a brief description 
of the structure of MISTY1. We present our 5-round attack in Section 0 and 
discuss its extension to 6 rounds in Sectional In Section El we present a 7-round 
attack which can be applied when there are no FL layers. Section El concludes 
the paper. 


2 The MISTY1 Cipher 

MISTY1 m i s a 64-bit block cipher that has a key size of 128 bits. Since its 
introduction it withstood several cryptanalytic attacks jl 161718191 . mostly due to 
its very strong round function (which accepts 32-bit input and 112-bit subkeyO) 
and the FL layers (keyed linear transformations) which are applied every two 
rounds. The security of MISTY1 was acknowledged several times, when it was 
selected to the NESSIE portfolio, the CRYPTREC’s list of recommended ciphers, 
and as an ISO standard. 

MISTY1 has a recursive structure. The general structure of the cipher is a 
8-round Feistel construction, where the round function, FO, is in itself close to 
a 3-round Feistel construction. The input to the FO function is divided into two 
halves. The left one is XORed with a subkey, enters a keyed permutation FI, 
and the output is XORed with the right half. After the XOR the two halves are 
swapped, and the same process (including the swap) is repeated two more times. 
After that, an additional swap and an XOR of the left half with a subkey are 
performed. 

The FI in itself also has a Feistel-like structure. The 16-bit input is divided 
into two unequal halves — one of 9 bits, and the second of 7 bits. The left half 
(which contains 9 bits) enters an S-box, 59, and the output is XORed with the 
7-bit half (after padding the 7-bit value with two zeroes). The two halves are 
swapped, the 7-bit half enters a different S-box, 5 7, and the output is XORed 
with 7 bits out of the 9 of the right half. The two halves are then XORed with 
a subkey, and swapped again. The 9-bit value again enters 59, and the output 
is XORed with the 7-bit half (after padding). The two halves are then swapped 
for the last time. 

Every two rounds, starting before the first one, the two 32-bit halves enter an 
FL layer. The FL layer is a simple transformation. The input is divided into two 
halves of 16 bits each, the AND of the left half with a subkey is XORed to the 
right half, and the OR of the updated right half with another subkey is XORed 
to the left half. We outline the structure of MISTY1 and its parts in Figure El 

The key schedule of MISTY1 takes the 128-bit key, and treats it as eight 16- 
bit words K i, K- 2 , . . . , Kg. From this set of subkeys, another eight 16-bit words 
are generated according to K' = FIx i+1 (R’i)O 


1 In 13 it was observed that the round function has an equivalent description that 
accepts 105 equivalent subkey bits. 

2 In case the index of the key j is greater than 8, the used key word is j — 8. This 
convention is used throughout the paper. 
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FI function 


n 

bitwise AND 


u 

bitwise OR 


Fig. 1. Outline of MISTY1 


In each round, seven words are used as the round subkey, and each of the FL 
functions accepts two subkey words. We give the exact key schedule of MISTY1 
in Table 0 


3 An Impossible Differential Attack on 5-Round MISTY 1 

Our attack on 5-round MISTY1 with all the FL functions is based on the generic 
impossible differential attack against 5-round Feistel constructions with a bijec- 
tive round function m and on the dedicated slicing attack [SJ on reduced-round 
MISTY1. 
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Table 2. The Key Schedule Algorithm of MISTY1 


KOi, i 

KOi, 2 

KOi, 3 

KOi, 4 

KL ,i 

Kli, 2 

Kli, 3 

KLi, i 

KLi, 2 

Ki 

Ki+ 2 

K i+ i 

K i+ 4 

K'i+s 

K'i+i 

K - + 3 

Ki±i (odd i) 

* 4+2 ( even *) 

K'j+x . e (odd i) 

Ki + 4 (even i) 


3.1 The New 5-Round Impossible Differential 

The generic attack on 5-round Feistel constructions is based on the following 
impossible differential: 

Observation 1 (0, page 136). Let E : {0, l} 2 " — > {0, l} 2 " be a 5-round, Feis- 
tel construction with a bijective round junction f : {0, 1}" — > {0, 1}". Then for 
all non-zero a e {0,1}", the differential (0,a) — ► (0,a) through E is impossible. 

Our proposition is based on the fact that a similar impossible differential can be 
constructed even if FL layers are added to the construction, as in MISTY1. Note 
that since for a given key the F L layers are linear, we can define FL(a) for a differ- 
ence a as the unique difference (3 such that (x © y = a) => (FL(x) ® FL(y) = (3). 

Proposition 1. Let E denote a 5-round variant of MISTY1, with all the FL 
functions present (including an FL layer after round 5). If for the given secret 
key we have F L8(F L6(F L4(F L2(a)))) = (3, where FLn is FL with the key 
KL n , then the differential (0,a) — ► (0 ,(3) through E is impossible. 

Proof. If the plaintext difference is (0,a), then after the first FL layer, the dif- 
ference becomes (0, FL2(aj). This difference evolves after two rounds (including 
the second FL layer) to (a;, FLA(FL2(a))), where x ^ 0 due to the bijectiveness 
of the round function of MISTY1. 

On the other hand, if the output difference is (0,(3) such that (3 = 
F L8(F L6(F LA(F L2(a))j) , then before the last FL layer, the difference is 
(0, FL6(FL4(FL2(a)))), and thus the input difference to round 5 is also 
(0, FL6(FL4(FL2(a)))). Thus, the difference before the third FL layer is 
(0, F LA(F L2(a))) . 

However, if the input difference to round 3 is (x, F L4(F L2(a))) and the output 
difference of round 4 (before the FL layer) is (0, FL4(FL2(a))), then the output 
difference of the FO function in round 3 is zero. This is impossible since the input 
difference to this FO function is x ^ 0, and the FO function is bijective. 

Hence, the differential (0, a) — * (0, (3) is indeed impossible. □ 

We note that a similar approach is used in the slicing attack on 4-round 
MISTY1 0. The slicing attack is based on the generic 3-round impossible differ- 
ential (0, a) — » (0, (3) for all non-zero a, (3 which holds for every 3-round Feistel 
construction with a bijective round function. 
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3.2 The Structure of the FL Functions 

A straightforward way to use the new impossible differential to attack 5-round 
MISTY1 is to encrypt many pairs with difference (0. a) for non-zero a, con- 
sider the pairs whose ciphertext difference is of the form (0,/?), and discard 
subkeys of the FL layers for which FL8(FL6(FLA(FL2(a)))) = 0. However, 
since the subkeys used in FL2,FLA,FL6, and FL8 are determined by 96 key 
bits, this approach is very time consuming. Instead, we examine the structure 
of the FL functions in order to find an efficient way to find the instances for 
which FL8(FL6(FLA(FL2(a)))) = 0, for a given pair (a. 0). We use a series of 
observations, most of which were first presented in 0. 

In the rest of this section, the function FL8 o FL6 o FLA o FL2 is denoted 
byG. 

1. For each 0 < i < 15, the i-th bits of both halves of the input to an FL 
function and the i-th bits of both halves of the subkey used in the FL 
function, influence only the i-th bits of both halves of the output of the 
function. As a result, each FL function can be represented as a parallel 
application of 16 functions /* : {0, l} 2 — > {0, l} 2 keyed by two different 
subkey bits each. 

2. Each fi is linear and invertible. 

3. The two observations above hold also for a series of FL functions applied 
sequentially. In particular, the function G = FL8 o FL6 o FLA o FL2 can 
be represented as a parallel application of 16 functions g t : {0, l} 2 — > {0, l} 2 
keyed by eight subkey bits each. The g0 s are all linear and invertible, and 
hence, can realize only six possible functions!! Thus, there are only 6 16 = 
2 41 36 possible G functions. 

4. Since each g^ is invertible, the differentials 0 — > a and a —> 0 through gi 
are impossible, for each non-zero a G {0, l} 2 . As a result, most of the dif- 
ferentials of the form a — > 0 through G are impossible, regardless of the 
subkeys used in the FL functions. In each of the g^- s, only 10 out of the 16 
possible input/output pairs are possible. Hence, only (10/16) 16 = 2 -10 - 85 of 
the input/output pairs for G are possible. 

5. Assume that G(a) = 0, for fixed a and 0. We want to find how many 
functions of the form G (out of the possible 2 4136 functions) satisfy this 
condition. For each gi, there are 10 possible input/output pairs (the other six 
pairs are impossible for any subkey). For the 0 — > 0 pair, all the six possible g t 
functions satisfy this condition. For each of the 9 remaining pairs, two of the 
six functions satisfy the condition. Since the gi functions are independent, 
the expected number of functions satisfying the conditions for all the gi- s is: 



3 Since we are interested only in differences, we treat two functions that differ by an 
additive constant as the same function. The total number of functions for each /,: is 
actually 24. 
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The 2 41 - 36 possible G functions can be enumerated in such a way that the 
functions satisfying the condition for each (a, /?) pair can be found efficiently. 

Using these observations on the structure of the FL functions, we are ready 
to present our attack. 

3.3 The New Attack 

1. Ask for the encryption of 64 structures of 2 32 plaintexts each, such that in 
each structure, the left half of all the plaintexts is equal to some random value 
A, while the right half obtains all possible values. (As a result, the difference 
between two plaintexts in the same structure is of the form (0, a)). 

2. For each structure, find the pairs whose output difference is of the form 
(0 ,/?). 

3. For each pair with input difference (0, a) and output difference (0, (i) check 
whether a — » /3 is an impossible differential for the function G (as described 
in Section l!T~^ll . Discard pairs which fail this test. 

4. For each remaining pair, find all the G functions satisfying the condition 
G(a) = /? and discard them from the list of all possible G functions. 

5. After analyzing all the remaining pairs, output the list of remaining G func- 
tions. 

Step 2 of the algorithm can be easily implemented by a hash table, resulting in 
about 2 31 pairs from each structure. Step 3 can be easily performed by evaluating 
a simple Boolean function on the input and the output (as we are concerned with 
cases of a zero input causing a non-zero output or vice versa) 0 

As noted in Section IO out of the 2 31 pairs, about 2 31 • 2 -10 - 85 = 2 20 15 pairs 
remain from each structure at this point. Each of these pairs discards about 
2 20 2 possible values of G on average (as shown in Section 13.21 . and thus, each 
structure is expected to discard about 2 40 ■ 35 G functions. The identification of 
the discarded functions can be performed very efficiently. 

Thus, after analyzing about 64 structures, we are left only with the right G 
function^ The time complexity of the attack is about 64 • 2 20 15 ■ 2 20 2 = 2 46 ' 35 
simple operations, and the information retrieved by the attacker is equivalent to 
41.36 key bits. In many situations, this is considered a break of the system and 
the attack terminates. 

4 The exact Boolean expression is as follows: Let the input difference of G be [xi, X2) 
and the output difference of G be ( 3 / 1 , J/ 2 ) - Also let t be the bitwise NOT of t, let & be 
a bitwise AND, and | be a bitwise OR. If ®T&X 2 '&(yi|j/ 2 ) is non-zero then there is a 
zero input difference transformed to a non-zero output difference. It is also required 
to check whether the output difference is zero and the input difference is non-zero, 
which is done by evaluating: yT&z7y2&t(xi\x2) ■ 

5 We expect 2 40 ' 35 ■ 64 = 2 46 ' 35 functions to be discarded (with overlap). Thus, the 
probability that a specific function remains after the analysis is 

(1_ 2-41-36) 2 46 35 K3e -32 = 2 -46.2 
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3.4 Retrieving the Rest of the Secret Key 

If the attacker wants to retrieve the actual value of the key, she can use the 
G function found in the attack to retrieve the value of the subkeys used in the 
G function. A naive approach is to try the possible 2 96 subkeys which affect 
the functions FL2, FLA, FL6, and FL8, and check (for each subkey) whether it 
yields the correct G function. A more efficient algorithm is to guess the values of 
the subkeys K 3 , K 4 , K§, K%. and K-j, and check whether they induce the correct 
transformation from the input of G to the right half of the output of G. If 
this is the case, the attacker can retrieve the suggested value for Kg, efficiently, 
and if the suggestion is consistent with the correct G function, the attacker 
obtains a candidate for 96 bits of the key (the knowledge of K' 3 and K 4 allows 
computing Kg). The time complexity of this approach is roughly 2 80 evaluations 
of four FL functions, and the attacker gets a list of 2 96 • 2 -41 - 36 = 2 54 ■ 64 96-bit 
subkeys. Retrieving the rest of the key by exhaustive search leads to a total time 
complexity of 2 86 ' 64 encryptions. 

We note that possibly this part of the attack can be performed much more effi- 
ciently using some different attack technique and exploiting the key information 
obtained so far0 

4 Extending the Attack to 6 Rounds 

The simplest way to extend a 5-round attack to 6 rounds is to guess the subkey of 
the last round, peel the last round off, and apply the 5-round attack. In MISTY1, 
this requires guessing the key of the last FL layer, as well as 112 subkey bits 
which enter the sixth FO function. Thus, we need to use a more careful analysis 
and key schedule considerations to present this attack. 

In our attack we guess the subkey of the last FL layer (composed of 64 bits), 
and examine only ciphertext pairs with a special structure in order to reduce the 
amount of subkey material in the sixth FO we need to handle. Finally, we repeat 
the five round attack, taking into consideration the already known subkey material. 

The special structure of the pairs examined in the attack is based on the 
following observation, presented in [Zj: 

Observation 2. (^7f) Assume that the input values to the function FOi are 
known. The question whether the output difference of FOi is of the form (6,6), 
for a 16-bit value 6, depends only on the 50 subkey bits KOi, 4 ,KOi, 2 ,KIi^ t 2 , 
and KIi t 2 , 2 - 

4.1 The Attack’s Algorithm 

1. Take m structures (generated just like in the 5-round attack). 

2. For each guess of the subkey used in the last FL layer (subkeys K! 2 , K 4 , K§, 
and Kg), partially decrypt all the ciphertexts. 

6 We note that a similar problem is discussed in |HJ , and several techniques applicable in 
special cases (e.g., if the attacker can use both chosen plaintext and chosen ciphertext 
queries) are presented. 
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3. Find all pairs with plaintext difference (0, a) and ciphertext difference 
(( 8 , S), ( x , y))0 such that differential a — > (x, y ) through FL6 o FLA o FL2 
is not impossible (see Section 13. 21 . 

4. Analysis of Round 6: For each such pair, with difference ((6,6),(x,y)), 
perform the following steps: 

(a) Given A0 6 , i = A 8 compute the actual values just before the key addi- 
tion with KIq 2 for the pair. If the difference in the 7 left bits does not 
fit the corresponding 7 difference bits of 6 — discard the pair. 

(b) Using the input and output differences of the second S 9 S-box of the 
function A/ 6 , 2 , find the pairs of actual input values satisfying this dif- 
ference relation!! From the actual input values obtain (on average) one 
candidate for the 9 bits of KIe. 2 , 2 - 

(c) For each possible guess of A/ 6 , 2,1 (he., the remaining unknown bits of 
K' 7 ) compute KOe t i = Kq, and check whether the difference in the 7 left 
bits before the key addition in the first FI is equal to the difference in 
the 7 left bits of y. 

(d) Similarly to Step 60, deduce A/ 6 , 1,2 using the input/output differences 
of the second S 9 in the function A/ 6 , 1 , suggested by the pair. 

5. Application of the 5-Round Attack: For each guess of the 89 subkey 
bits (i.e., K’ 2 , A 4 , K' 6 ,K 7 , A 8 , A/ 6 ,i, 2 ) and for each pair corresponding to this 
subkey guess, perform the following: 

(a) Guess the 9 least significant bits of A 5 and use the key sched- 
ule to compute bits 7,8 of A 4 and A(. Check whether the relation 
FL6(FL4(FL2(a ))) = (x. y) holds at bits 7,8 of the left and the right 
halves of a and (3 (note that all the subkey bits involved in this relation 
are already known). If no, discard the pair. 

(b) Guess the remainder of A 5 , and compute the full values of K' A and A( . 
Check whether the pair can achieve a — > (x. y), and retrieve the sug- 
gested value for the 7 remaining bits of A 3 . 

(c) If at this stage, for a given key guess there are remaining pairs, discard 
the subkey guess (as it suggests an impossible event). Otherwise, retrieve 
the remaining key bits by exhaustive search. 


4.2 Analysis of the Attack 

Starting with m structures, for each guess of the subkey used in the last FL 
layer (64 bits), about m ■ 2 63 • 2 -16 • 2 -10 - 85 = m ■ 2 36 15 pairs are expected to 
enter Step (0. Each of these pairs has probability 2~ 7 8 to satisfy the differential 
condition of Step (Rajl , leaving m ■ 2 29 - 15 pairs for each guess of the first 64 subkey 
bits. Then, in Step 69 we obtain (for each pair) one candidate on average for 
9 additional subkey bits, reducing the number of pairs associated with a given 
subkey guess (of 73 bits) to m-2 20 15 pairs. These two operations (a 7-bit filtering 

7 The reader is advised that we give the values without the swap operation, to be 
consistent with our figure describing MISTY1. 

8 This can be done easily by examining the difference distribution table of S 9. 
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and a 9-bit subkey suggestion) are performed again in Steps (I4cl4dl) for each 
guess of 7 additional subkey bits. As a result, m ■ 2 20 15 • 2 -16 = m ■ 2 415 pairs 
are expected to enter Step 0 , for each of the 89-bit subkey guesses. 

In Step 0). we guess a total of 16 additional key bits, and discard all the 
pairs for which FL6(FL4(FL2(a))) ^ (x, y). Since all the pairs for which the 
differential a — ► (x, y) through FL6 o FLA o FL2 is impossible were discarded in 
Step (3) of the attack, the probability of a pair to pass the filtering of Step 0 
is 2 -2115 . Hence, the number of pairs remaining after Step 0 for each subkey 
guess is m ■ 2 415 • 2 -21 - 15 = m ■ 2 -17 . As a result, the probability that a subkey 
guess is not discarded is e~ m ' 2 . Thus, the time complexity of Step ( Hell is 

2 128 • e -m ' 2 encryptions. 

We note that the number of pairs entering Step (IsTol is m- 2 15 for each subkey 
guess. Indeed, in Step (|5all we discard the pairs for which F L6(F L4(F L2(a))) ^ 
(x. y ) in four bits. It may seem that the probability of a pair to pass this filtering 
is 2 -4 . However, since the pairs for which the differential a — > (x, y) through 
FL6 o FLA o FL2 is impossible were already discarded before, the probability of 
a pair to pass the filtering is 2 -2 65 , and hence the number of remaining pairs 
is indeed m ■ 2 1 - 5 for each subkey guess. 

The two most time consuming steps of the attack are Steps © and 0J. 
Step Ij5 hi takes 3 • m ■ 2 1,5 • 2 105 = m • 2 108,1 evaluations of FL. We take the 
moderate assumption that the time complexity of three FL evaluations is not 
greater than 1/8 of the time required for a 6-round encryption. Hence, the time 
complexity of Steo lHBIl is about rn ■ 2 103 - 5 MISTY1 encryptions. Step 0} takes 
2 128 • e -m ' 2 encryptions. 

The least overall time complexity is achieved when both terms are the same, 
i.e., when m ■ 2 103 5 = 2 128 • e -m ' 2 . Solving this equation numerically, sug- 

gests that m = 2 18 ' 945 is the optimal value. Thus, the data complexity of the 
attack is m ■ 2 32 as 2 51 chosen plaintexts, and the time complexity is 2 123 ' 4 
encryptions. 

5 Attack on 7-Round MISTY1 with No FL Layers 

In this section we show that if the FL layers are removed from the structure of 
MISTY1, then the generic impossible differential for 5-round Feistel construc- 
tions m can be used to mount an attack on a 7-round variant of the cipher. 
The attack is based on examining pairs with input difference (a, x ) and output 
difference (a, y), and discarding all the subkeys which lead to the impossible dif- 
ferential (a, 0) — > (a, 0) in rounds 2-6. However, since each of the FO functions 
uses 112 key bits, trying all the possible subkeys is infeasible. Instead, we use dif- 
ferential properties of the FO function, along with key schedule considerations, 
in order to discard the possible subkeys efficiently. 


9 As noted earlier, in the filtering in Step 3, the attacker discards (for a given pair of 
bits) 6 out of 16 possible values. Hence, in this step, the attacker discards 9 out of 
the remaining 10 values. 
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5.1 Differential Properties of the FO Function 

We start with an observation presented in [Zj. 

Observation 3 (|!Zj). Given a pair of input values to the function FOi, the 
corresponding output difference depends only on the equivalent of 75 subkey bits. 
These bits are the subkeys KOi,i , KO it2 , KI^i^, and Kli^p, and the 

equivalent subkey 


AKO ifi = KOi, 3 © A"/*,!, 1 1 100| | A"/*, i,i, 
where || denotes concatenation. 

We refer the reader to pj for the complete proof of this observation. 

Our next proposition is a novel observation concerning MISTY1: 

Proposition 2. Assume that the input values and the output difference of the 
function FOi are known, along with one of the following sets of subkey bits: 

1. KO ltU KI itl>2 ,KI ii2 , 2 ,KI ltSi2 , or 

2. KO i>2 , KI iAi2 , Kli, 2j2 , KI it 3,2- 

Consider the remaining 32 key bits that influence the output difference (i.e., 
KOi t 2 or KO, a . respectively, along with AKO^s). There exists one value of 
these 32 bits on average which satisfies the input/output condition, and this 
value can be found efficiently (using only several simple operations). 

Proof. Consider the case when the bits of Set CD are known. The knowledge 
of bits KOi t \ and KIj \ 2 allows to encrypt the pair through the first FI layer 
and (using the output difference of FOi) obtain the output difference of FI it2 . 
The input difference to FI it2 can be computed from the input of FO t . Given the 
input and the output differences to the function FI i >2 and the subkey 2 , 2 , 
there exists one pair of inputs on average which satisfies the input/output differ- 
ence condition. This pair of actual values, along with the input to FOi, suggests 
a unique value for the subkey KO,. 2 - Similarly, since the input and output dif- 
ferences to FIi t 3 and the subkey KI 4 , 3,2 are known, they suggest one value of 
the subkey AKOi t 3 on average which satisfies these differences. 

In the second case, when the bits of Set Q are known, the knowledge of 
bits KOi t 2 and JOi, 2,2 allows to encrypt the pair through the second FI layer 
and (using the output difference of FOi) obtain the output difference of FIi t i- 
The input difference to FI^i can be computed from the input of FOi. This 
input /output difference pair suggests a single value of the subkey KOi t 1 on 
average. The single suggestion for AKOi$ can be retrieved as in the first case. 

In order to obtain the suggested subkeys efficiently, it is sufficient to pre- 
compute the full difference distribution table 0 of the FI function (i.e., a table 
containing also the actual values which satisfy each input/output difference con- 
dition), for each possible value of KIij, 2 - Each such table requires about 2 34 
bytes of memory. In the on-line phase of the attack, given the input/output 
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differences to an FI function, along with the corresponding subkey Kl^j^, the 
possible actual values of the input can be found using a single table look-up. 
Hence, the suggested values for the 32 subkey bits can be found using only sev- 
eral simple operations. □ 

Now we are ready to present the attack. 

5.2 The Attack Algorithm 

The attack algorithm is as follows: 

1. Ask for the encryption of 2 50 ' 2 known plaintexts. 

2. Find all pairs (Pi,P 2 ) and their corresponding ciphertexts (Cj, C- 2 ), re- 
spectively, such that Pi ® P 2 = (a. x) and C\ ® C 2 = (a, y) for some 
x,y and a. The expected number of pairs remaining after this stage is 

(250.2^2 j2 . 2~ 32 = 2 67 4 

3. Examining round 1: For each of the remaining pairs, perform the follow- 
ing: 

(a) Guess the subkey K 1 and the 9 least significant bits of the subkeys 

K' 2 ,K' a ,K' 6 (which compose the subkeys KO\ \ , KIj- 2 , 2 : an< l 

KIj ,3,2) • Use Proposition |2I to find the suggested value for the subkeys 
KOi ’2 = K 3 and AKO h3 . 

(b) Guess the remaining bits of K' e (which are the bits of AJ 1) 1 , 1 ), and use 
the value of AKO\$ to obtain the value KOi >3 = K&- 

(c) For each value of the subkeys K 3 and K$, store the list of all the pairs 
which suggested this value. The expected number of such pairs is 2 67 4 • 

216+9+9+9 # q 7 j2^2 235.4 

4. Examining round 7: For each possible value of the 82 bits of the key 
considered in Step 3 (subkeys Ki,K 3 ,K' 6 ,K 8 , and the 9 least significant bits 
of K' 2 and K' 4 ), and for each of the pairs corresponding to each subkey value, 
perform the following: 

(a) Use Proposition El to find the values K0 7 ^ = K 7 and AK0 7<3 (note that 
the values K0 7 12 , KI 7> i i2 , Kl 77 2 , 2 > and KI 773 2 are known at this stage). 

(b) Use the key schedule to find the value of K fi . Use the knowledge of 
AK0 7>3 and K0 7j 3 = Kq to get the value of KI 7 - lA , along with a 
9-bit filtering condition (only pairs for which AK0 7i3 ffi K0 773 is of 
the form a||00||a, for some 7-bit value a, remain, and suggest the value 
KI 7j \,i = a). 

5. Discard the values of the 105 examined key bits (K 7 ,K 3 , K' A . Kq, K 7) K 3 , and 
the 9 least significant bits of K! 2 ) suggested by at least one pair. The expected 
number of pairs suggesting each subkey value is 2 35 4 • 2 _ 9 / 2 23 = 10.56. As 
the number of pairs suggesting a subkey value has a Poisson distribution, a 
subkey remains (i.e., is not suggested by any pairs) with probability e -10 56 = 
2-15.23 jj ence) the expected number of remaining 105-bit subkeys is 2 105 • 
2-15.23 _ 2 89.77 
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6. For the remaining possibilities of the 105-bit subkey, exhaustively search all 
possible keys, until the right key is found. 

The data complexity of the attack is 2 50,2 known plaintexts. Its time com- 
plexity is mostly dominated by Step (4) and Step (6). Step (4) is repeated 
2 35 - 4 -2 82 = 2 117 - 4 times. Each such key deduction is expected to take one FI ap- 
plication, two memory accesses, and a few XOR operations. For sake of simplicity 
we assume that this is equal to 1/16 of 7-round MISTY1 encryption, and thus, 
Step (4) takes a total of 2 113 ’ 4 encryptions. Step (6) takes 2 128 • 2 -15 - 23 = 2 112 - 8 
trial encryptions. Therefore, the total time complexity of the attack is 2 1141 
encryptions. 

6 Summary and Conclusions 

In this paper we presented several new impossible differential attacks on 
MISTY1. While previous attacks were applicable only up to 4 rounds of the 
cipher (including the FL layers), we presented a 5-round attack with time com- 
plexity of 2 46 45 simple operations, and extended it to an attack on a 6-round 
variant faster than exhaustive key search. We also presented a 7-round attack on 
a variant of the cipher without FL functions. The best previously known attacks 
against this variant were on 6 rounds. 

It seems interesting to compare between the attacks on reduced-round variants 
of MISTY1 including the FL functions, and the attacks on the variant without 
the FL functions. If the FL functions do not exist, much simpler impossible dif- 
ferential attacks can be mounted, and as a result, the attacks extend to one more 
round, compared to the case where the F L - s are present. On the other hand, when 
the FL functions are present, their linear structure can be exploited in order to 
reduce significantly the time complexity of impossible differential attacks. 

Thus, we conclude that while the FL functions do contribute to the security 
of the full MISTY1 with respect to impossible differential attacks, they may 
reduce the practical security of reduced variants with a relatively small number 
of rounds E3 
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Abstract. We provide a general framework for constructing identity- 
based and broadcast encryption systems. In particular, we construct a 
general encryption system called spatial encryption from which many 
systems with a variety of properties follow. The ciphertext size in all 
these systems is independent of the number of users involved and is just 
three group elements. Private key size grows with the complexity of the 
system. One application of these results gives the first broadcast HIBE 
system with short ciphertexts. Broadcast HIBE solves a natural problem 
having to do with identity-based encrypted email. 


1 Introduction 

In this paper we develop a general framework for constructing identity-based 
encryption (IBE) nan and broadcast encryption jO] with constant-size cipher- 
texts. This framework enables one to easily combine different encryption prop- 
erties via a product rule and to obtain encryption systems supporting multiple 
properties. For example, a multi-authority, forward-secure, broadcast encryption 
system (with constant-size ciphertexts) is easily derived by taking the “product” 
of three systems. One new concept constructed using our framework is broadcast 
hierarchical IBE. We discuss this concept at the end of the section and explain 
its importance to secure email. 

We start with an informal description of the framework; a precise definition is 
given in the next section. Rather than an IBE or a broadcast system we consider 
a higher level abstraction. 

- Let V be a finite set of policies. Roughly speaking, a message m can be 
encrypted to any policy 7r in V. 

- Let 1Z be a finite set of roles. Each decryptor has a role p in TZ and can 
obtain a private key K p corresponding to its role p. 

- We allow for an arbitrary predicate called open on the setlZxV that specifies 
which roles in 1Z can open what policies in V. 

A key K p can decrypt ciphertexts encrypted for policy n if and only if role p 
opens policy 7r, i.e. open(p, n) is true. 

To continue with the abstraction, we provide a notion of delegation which 
is useful in hierarchical IBE (HIBE) j 1 .'SI 1 1 1 . To support delegation we assume 
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there is a partial order y defined on the set of roles 1Z. The idea is that given 
the key K pi there is a delegation algorithm that can be used to generate the 
key K P2 , whenever pi y Pi- Naturally, we require that the open relation respect 
delegation, meaning that if role P 2 opens policy n and pi y P 2 then pi also 
opens 7r. 

Given the sets V,1Z and relations open and y, one obtains a very general 
notion of identity-based encryption. It generalizes HIBE, broadcast encryption, 
attribute-based encryption P2|, predicate encryption m and other variants. 
We refer to such schemes as generalized IBE, or GIBE. In the next section we 
define GIBE schemes more precisely along with their associated security games. 

Spatial encryption. In Sectional we study an important instance of GIBE called 
spatial encryption in which policies are points in Z” and roles are affine subspaces 
of Z”. The delegation relation y on roles is defined by subspace inclusion: role 
Pi h Pi if Pi’s affine space contains p 2 ’s space. 

As we will see, spatial encryption enables us to build a host of identity-based 
and broadcast encryption schemes. In particular, it supports a product rule 
that lets us combine encryption properties such as forward security, multiple 
authorities, and others. 

In Section 0 we construct an efficient spatial encryption system with constant- 
size ciphertext. Our starting point is an HIBE construction of Boneh, Boyen, and 
Goh j2j. We are able to extend their system to obtain a spatial encryption sys- 
tem. However, the proof of security is more difficult and requires the BDDHE 
assumption introduced in jS| (the proof in |2j used the slightly weaker BDHI as- 
sumption). We describe various extensions of the system at the end of Section 0 

Our initial motivation: email encryption. Suppose user A wishes to send an 
encrypted email to users Hi, ... , B n . User A knows the identities of all recipients, 
but does not know which private key generators (PKGs) issued their private keys. 
Moreover, user A only trusts PKGs Pi, ... , Pg. She wishes to encrypt the email 
so that user Bj can decrypt it if and only if Bj has a private key issued by 
one of the £ trusted PKGs. Using basic IBE this will require ciphertext of size 
0(n-£). Our goal is to construct a system whose ciphertext size is constant, that 
is, independent of n and t. 

This natural email encryption problem can be modeled as a GIBE and con- 
structed using the product of two instances of our spatial encryption scheme. 
Here each PKG has a role which can delegate to a key for any user; a (possibly 
distributed) dealer holds the master key Kt- We obtain a system that precisely 
solves the problem described above, with ciphertext size independent of n and 
l. However, in our current construction the private key size is linear in n + £. 

Similarly, we also construct a broadcast HIBE. Roughly speaking, in a broad- 
cast HIBE there is a tree-like hierarchy of identities and private keys as in HIBE. 
An encryptor picks a set S of nodes in the hierarchy and encrypts a message 
m to this set S. We let c be the resulting ciphertext. As in a broadcast system, 
any user in S can decrypt c, but (proper) coalitions outside of S cannot. We say 
that the system has constant-size ciphertext if the size of c is independent of the 
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size of S. Broadcast HIBE applies naturally to hierarchical email systems where 
messages can have many recipients. 

Broadcast HIBE can be easily modeled as a GIBE and constructed from our 
spatial encryption system. This expands on the features of previous constant-size 
broadcast systems such as Boneh et al. j5| and Sakai and Furukawa m, albeit 
at the cost of increased private-key size. 

2 Generalized Identity-Based Encryption (GIBE) 

A Generalized Identity-Based Encryption Scheme, or GIBE, allows a participant 
to encrypt a message under a certain policy, in some set V of allowable policies. 
We will enforce no structure on the allowed policies. To decrypt, users may hold 
secret keys corresponding to roles. Roles are organized in a partially-ordered set 
7 Z, that is, a set endowed with a reflexive, transitive, antisymmetric relation y. 

A GIBE may be parameterized in some way. For example, a system may have 
a limited number of identities, hierarchy levels, time periods or the like. We call 
such choices the setup parameters SP. As SP varies, V and TZ will generally 
also vary. Similarly, V and TZ may depend on the security parameter A or on 
randomness chosen at setup. We encode these choices into a policy parameter y 
generated at setup, and use policies V x and roles 1Z X . For brevity, we will omit 
y when it is unambiguous. 

For a policy n and a role p, we write open(p. 7r) if a user with a secret key for p 
is allowed to decrypt a message encrypted under n. We require this relation to be 
monotone, meaning that if p h p' and open(p', 7r) then open(p, 7r). For simplicity, 
we require that TZ contains a top element T, such that T> p for all p G 1Z, and 
open (T, it) for all n eV. Informally, greater roles open more messages, and the 
greatest role, T, can open them all. Obviously, only a highly-trusted authority 
should hold the secret key Ky. 

A GIBE consists of four randomized algorithms: 

— Setup( A,SP) takes as input a security parameter A and setup parameters 
SP. It returns public parameters PP (which include the policy parameter y) 
and a master secret key Ky. 

- Delegate^ PP, p, K p , p') takes the secret key K p for role p and returns a secret 
key K p i for p' , where ph p'. 

— Encrypt( PP, n, m ) encrypts a message m under a policy 7 r. 

- Decrypt{ PP, p, K p , n, c) decrypts a ciphertext c using a secret key K p . 
Decryption may fail. However, we require that decryption succeeds when 
open(p, 7r), so that: 

Decrypt( PP, p, K p , 7r, Encrypt( PP, 7r, m) ) = m 

for all PP generated by Setup, for all policies 7r and roles p, and for all keys 
K p for p delegated directly or indirectly from Ky. 
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We require that the algorithms Setup, Delegate, Encrypt, Decrypt and the predi- 
cates open and >z all run in expected polynomial time in A. We also require that 
delegation is independent of the path taken; that is, if pih P 2 h p 3 , then 

Delegate( PP, pi, K Pl ,p 3 ) 
should produce the same distribution as 

Delegate^ PP, P 2 , Delegate( PP, pi,K px , p%), p 3 ) 


2.1 Security 

We define the security of a GIBE X in terms of a family of security games between 
a challenger and an adversary. The system parameters SP are fixed, and the 
adversary is allowed to depend on them. We define the full, CCA 2 , anonymous 
game first (anonymity here refers to the property that the ciphertext leaks no 
information about the policy used to create it CD- 

Setup: The challenger runs Setup( A, SP) and sends PP to the adversary. 

First query phase: The adversary makes several delegation queries pi to the 
challenger, which runs Delegate(PP, T, Kj , p t ) and returns the resulting K Pi . 
The adversary may also make decryption queries (p*, 7r», Cj) to the challenger, 
where open (p i} 7 q). The challenger runs K p . <— Delegate(T J P , T, Kr, p%), then 
runs DecryptlVV , pi,K Pi ,iti,Ci) and returns the resulting m; (or fails). 

Challenge: The adversary chooses messages mo and mi and policies 7 Tq and 7r*, 
and sends them to the challenger. We require that the adversary has not 
been given decryption keys for these policies, that is, ->open(pj, 7r}) for all 
delegation queries pi in the first query phase, and for j G {0, 1}. 

The challenger chooses a random b {0, 1}, runs Encrypt(PP, 7rj* , mb), and 
returns the resulting challenge ciphertext c* to the adversary. 

Second query phase: The second query phase is exactly like the first, except 
that the adversary may not issue decryption queries for c* , and the adversary 
may not make delegation queries for roles that open n* for j g {0,1}. 

Guess: The adversary outputs a bit b' £ {0,1}. The adversary wins if b' = b, 
and otherwise it loses. 

There are several important variants on the above game: 

— In a CCAi game, the adversary may not issue decryption queries during the 
second query phase. 

— In a CPA game, the adversary may not issue decryption queries at all. 

— In a non-anonymous game, we require that 7 Tq = 7r}. 

— In a selective game, the setup phase is modified. The challenger sends the 
policy parameter \ to the adversary. The adversary chooses in advance its 
7 Tq and 7r{ and sends them to the challenger. Then the challenger sends the 
rest of the public parameters PP. 
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We define adversary M’s advantage in game variant V (when A is attacking the 
GIBE system I with parameter SP) to be 

VAdv^,_ > (x i sp)(^) : = I Pr[*4 wins V] — Pr[A loses V] | 

We say that a GIBE I is V-secure if for all setup parameters SP and all proba- 
bilistic polynomial-time adversaries A, the function VAdv^ < _ > (x i sp)(A) is a neg- 
ligible function of A. 

In this paper we will primarily focus on the simplest security model, namely 
selective-security, non- anonymous, against a CPA adversary. We denote the ad- 
versary’s advantage in this model by (NonAnon, Sel, CPA)Adv^ (A). 

2.2 Example GIBE Instances 

Many instances of GIBE already appear in the literature: 

— In traditional IBE IE0 the policies are simply identities and the roles are 
identities or T. A message encrypted to an identity I can be decrypted only 
with a key for I or for T. There is no delegation except from T. 

— In broadcast IBE j2] the policies are sets of identities and the roles are 
identities or T. A message to a set S of identities can be decrypted only 
with a key for I £ S, or for T. There is no delegation except from T. 

— In attribute-based encryption (ABE) [T2|, the policies are subsets of a set S of 
attributes, and the roles are upwardly closed subsets of T := 2 s . A message 
to a set S of attributes can be decrypted with a key for any set containing S. 
m does not define a delegation model for attribute-based encryption, but 
the circuit-based implementation permits delegation by widening a k-oi-n 
threshold gate into a k + 1-of-n + 1 threshold gate. 

— In hierarchical IBE fldlllj the policies are identities and the roles are points 
in the hierarchy, with T at the root of the hierarchy. Here the key for a point 
x can either delegate to or decrypt from any point y below x. 

— In forward-secure [Zj systems, the roles and policies include a time t. Roles 
can be delegated by increasing the time t, and cannot decrypt messages with 
an earlier t. 

The games used to define the security of these instances are special cases of 
the GIBE games. In the next section we will show that most of these instances 
can be constructed from a GIBE we call spatial encryption. These generic con- 
structions for IBE and HIBE are competitive with the best known hand-tailored 
constructions. For broadcast IBE and forward-secure IBE our generic construc- 
tion has short ciphertexts, but the private key is longer than the best known 
tailor-made constructions |7I1 fiB5l . 

2.3 Embedding Lemmas 

It is clear that some GIBEs can be used to construct other GIBEs. For example, 
it is obvious that any broadcast IBE can also function as a traditional IBE. 
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In particular, suppose that we have a GIBE X with policies V x and roles 
1Z X , and we wish to define a GIBE with policies V' x and roles 1Z' X . Suppose 
that we are given an efficient injective map fp : V x —> V x and an efficient 
embedding fp : 7 Z' x — > 1Z X which satisfy open(fp(p), /p(jt)) 4=> open(p, n) 
and fn(T) = T. Then we can define a GIBE X' with policies V' x and roles 1Z' X 
simply by applying all f-p to all policies and f-p to all roles. 

Lemma 1 (Embedding Lemma) . Let T and 1' be GIBEs as defined above. 
For any GIBE adversary A against X' , there is a GIBE adversary B against X, 
running in about the same time as A, such that 

VAdv v 4^_ > (x,5P)(A) = VAdv,g„(x,5P)(A) 

Similarly, we can sometimes use collision-resistant hashing to construct new 
GIBEs. Suppose we have a GIBE X in which policies and roles are lists of elements 
of some set X, and in which open and A are decided in a monotone fashion by 
comparing certain elements for equality. Suppose also that we have an efficient 
collision-resistant hash H : X' — > X on some other set X' . Then we can define a 
GIBE X' which is identical to X except that its policies and roles are lists over 
X' instead of X, and all operations apply H pointwise to the policies and roles. 

Lemma 2 (Hashed Embedding Lemma). Let X andX' be GIBEs as defined 
above. For any GIBE adversary A against X' , there is a GIBE adversary 
against X and a collision-resistance adversary B^ against H, each running in 
about the same time as A, such that 

VAdv_4„(x,sp)(A) < VAdv Bl „(x i £:p)(A) + CRAdvg 2 «H(A) 

The proofs of these lemmas are immediate and are omitted. 

3 Spatial Encryption: An Important Instance of GIBE 

The building block for systems in our paper will be spatial encryption , a new 
GIBE. In spatial encryption, the policies V are the points of an n-dimensional 
affine space Z£. The roles 1Z are all subspaces W of Z” ordered by inclusion, 
and open (W, 7 r) 4=> W 9 n. 

3.1 Systems Derived from Spatial Encryption 

To demonstrate the power of spatial encryption, we show that many other GIBEs 
are embedded in it. 

Hierarchical IBE. Hierarchical IBE is trivially embeddable in spatial encryp- 
tion. Here the path components are elements of Z q , and the paths are limited 
to length at most n. This extends easily to hierarchical IBE where the path 
components are strings by using the Hashed Embedding Lemma. This is not the 
only embedding of hierarchical IBE in spatial encryption, however. 
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Inclusive IBE. In inclusive IBE, the policies are subsets of size at most n 
of a set of identities. The roles are also subsets of size at most n, where p >z 
p' 4=> p C p': that is, one can delegate by adding elements to a set. We say 
that open(p, 7r) iff p C 7r; that is, a message to a set can be decrypted with a key 
for any subset. 

We can embed inclusive IBE in a spatial system of dimension n + 1. Here 
the identities are elements of Z g , but this extends to inclusive IBE with strings 
as identities using the Hashed Embedding Lemma. We encode a policy n C Z q 
as the coefficients of the polynomial n(t) := X\ cen x — c ; this polynomial has 
degree at most n and therefore has at most n + 1 coefficients. We encode a role 
p C Z, as the vector subspace of coefficients of polynomials which are divisible 
by Y\cep x ~ c - 

Inclusive IBE seems almost as powerful as spatial encryption; nearly all the 
applications in this paper use inclusive IBE rather than using spatial encryption 
directly. 

Inclusive IBE can be built using attribute-based encryption, but this con- 
struction is less efficient than spatial encryption. In particular, the ciphertext 
has size 0{ri). Our construction gives constant size ciphertext. 

Co-inclusive IBE. Co-inclusive IBE is the dual of inclusive IBE. Policies and 
roles (other than T) are sets of at most n identities, where r y r' <==> r D r': 
that is, one can delegate by removing elements from a set. We say that open(p, 7r) 
iff p D tt; that is, a message to a set can be decrypted with a key for any set 
which contains it. 

We can embed co-inclusive IBE in a spatial system of dimension 2 n. For a 
role p, we assign the span of {vi : i £ p}, where = (1, i, i 2 , . . . , i 2 " -1 ) is the 
Vandermonde vector for i. To encrypt to a policy 7r, we encrypt to w r := Ylie-n v t . 
It is clear that v n is not contained in the subspace for any role p' ir, for then 
we would have expressed v„ as a sum of at most 2 n linearly independent vectors 
in two different ways. 

Co-inclusive IBE can be built using attribute-based encryption, but this con- 
struction is less efficient than spatial encryption. Once again, the ciphertext has 
size 0(n). Our construction gives constant size ciphertext. 

Broadcast Hierarchical IBE. Broadcast HIBE (and therefore also vanilla 
broadcast IBE jlfij 'l is embeddable in inclusive IBE. The role for a path a/b/ c/ . . . 
in the hierarchy is the set {a, a/b, a/b/c, . . .}. The policy for a set of nodes in the 
hierarchy is the union of their roles. The scheme can broadcast to a set of points 
S in the hierarchy if the number of distinct path prefixes in S' is less than the di- 
mension n. 

For a useful broadcast system, short ciphertexts are required. Our spatial 
encryption has constant-size ciphertexts, so our broadcast HIBE does as well. 

Product Schemes. For GIBEs Xi,X 2 with roles TZi,E ,2 and policies V 1 .V 2 , 
respectively, we define a product scheme T\ ( 81 X 2 . This scheme’s roles are 1Z\ x 7 ?. 2 
and its policies are V\ xXV Here open((pi, P 2 ), (7Ti, 7 ^)) if and only if open(pi, 7Ti) 
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and open (p2, 772), and similarly (pi- P2) t {p'i > P2) if and only if pi >z p\ and 
Pi h p2- Note that this is different from what can be accomplished with double 
encryption, for here the recipient needs to be able to decrypt both components 
using a single key K( pi>p2 y For instance, in the forward-secure encryption system 
that follows, a recipient decrypts with a key for a role p issued before time f, not 
a key for p and another key issued before time t. 

Using the vector space Z” 1+ " 2 = Z” 1 x Z” 2 , we can embed two instances of 
spatial encryption with dimensions ni and n.2 in one of dimension n\ + 7)2 ■ There- 
fore, if two schemes T\ and X2 are embeddable in spatial systems of dimensions 
ni and «2 , their product 1\ ® I2 is embeddable in a spatial system of dimension 
rii + 77,2. Similarly, we can construct product schemes in inclusive IBE. Here the 
policies are of the form 7 Ti W 772 and the roles are of the form p-\ l±J p%, where W 
denotes a disjoint union. 

Multiple Authorities. A common limitation in IBE systems is the need to 
trust a single central authority. The central authority has the ability to decrypt 
any message sent using the system, but equally importantly, the central author- 
ity must correctly decide to whom it will issue keys for a given role. The hu- 
man element of this authentication problem makes it less amenable to technical 
solutions. 

Product schemes are a step toward a solution to this problem. Let X a be a 
broadcast system whose identities are the names of authorities, and let l s be 
any GIBE. Then the product system X 0 ® X s is a multi-authority version of X s . 
A (possibly distributed) central dealer gives each authority a the decryption key 
for the role (a, T). Then if a user wishes to encrypt a message to some policy 
7 T £ V s , and trusts a set A of authorities, she encrypts the message to (A, tt). 
This can be decrypted only by a user who holds the key for (a, p) where a € A 
and open(p, 77), that is, one whom a has certified for a role which opens 77. 

Forward Security. There are already constructions of forward-secure IBE from 
HIBE, so we already know that forward-secure encryption is embeddable in 
spatial encryption |ZJ. We show a trivial forward-secure system from spatial 
encryption that will be useful in constructing product schemes. Set the policy 
for a time t to be the vector of t ones followed by n — t zeros, and the role for a 
range of times [ti , £2] to be the affine subspace of t\ ones, followed by any f 2 — ii 
components, followed by n — £2 zeros. 

A similar construction works for forward-secure IBE based on inclusive IBE. 
These constructions require many more dimensions than [ZJ, but they require 
the user to store only one secret key for a given range of times. This makes them 
more efficient for use in product schemes. 

CCA2 Security. Following j 3 j, we can use a MAC and a commitment scheme 
to create a CCA2-secure encryption 1' scheme from a scheme X which is merely 
CPA-secure. To encrypt a message m to a policy 77, we choose a random MAC 
key k, a commitment com to k and the decommitment dec. We encrypt c := 
Encrypt( PP, (77, com), (m, dec)) using the product X®IBE, and set the ciphertext 
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as (com, c,MAC(fc, c)). The resulting scheme is anonymous if X is, and fully 
secure if X is. The proof is exactly as in PJ . 

Email Encryption. We have now solved the motivating example of practical 
email encryption: by composing the above constructions, we can easily build a 
forward-secure, multiple-authority, CCA 2 -secure broadcast hierarchical encryp- 
tion system. This system can encrypt a message to n r (path prefixes of) re- 
cipients, trusting in n a authorities, with t time periods in a single key. The 
ciphertexts have constant size, and the private keys have size 0(n a +n r + t). 

Short Identity-Based Ring Signatures. We can convert a GIBE X to an 
identity-based signature scheme using the product scheme X ® IBE. The signing 
key for a role p is JKW Tit and a signature of a message m under a role p is 
K(p,H(rn)) > where H is a collision-resistant hash. This construction has the curi- 
ous property that a signature by p on a message m can be delegated to produce 
a signature by p' on m for any p' A p. If this property is undesirable, delegation 
can be prevented by using H((p,m)) instead of H(m) above. 

If the construction of X ® IBE is fully secure, then this signature scheme 
will be unforgeable; if it is selectively secure, then the signature scheme will be 
selectively unforgeable in the random oracle model for H . 

If we choose X to be inclusive IBE, then this construction gives an identity- 
based ring signature system [1 5ISI1 Sj . in which a user A can sign messages 
anonymously on behalf of any set of users containing A. A straightforward im- 
plementation using spatial encryption would result in long signatures, but the 
length results from the ability to delegate signatures further. By removing this 
ability, we can build constant-length identity-based ring signatures. We give the 
details in the full version of the paper. 

4 Constructing a Spatial Encryption System 

We now turn to the construction of a selectively-secure n-dimensional spatial 
encryption system with constant-size ciphertext. Our construction is inspired 
by the construction of a constant size HIBE given in j2|. Our proof of security, 
however, requires a slightly stronger complexity assumption, namely the BDDHE 
assumption previously used in 0 . 


4.1 Notation 

Vectors in this paper are always column vectors. When writing them inline, we 
transpose them to save space. We will be working with vectors of group elements, 
so we will adopt a convenient notation. For a vector v = (ui, V 2 , ■ ■ ■ , v n ) T 6 Z” 
of field elements, we use g v to denote the vector of group elements 
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In many cases, we will manipulate these without knowing the actual vector v. For 
example, given g v and w, we can easily compute g > ' v ’ w \ where (v, w) := v T w 
is the usual dot product on Z£. 

We will write Aff(M, a) C Z” for the d-dimensional affine space { M x + a : 
x e l d p }. 

4.2 The System 

The system parameters for our spatial encryption system will be a prime p 
(where log p is approximately the security parameter A) and two groups G and 
G t of order p, with a bilinear pairing e:GxG^ G t- Additionally, the public 
parameters will include group elements g,g a °,t £ G t and a vector g a £ G". 

A secret key for an affine space V := Aff(M, x) will have the form 

where b is the master secret and r is random in 7L V . 

The four GIBE algorithms work as follows: 

— Setup(X,n ) generates the system parameters p, G, Gr- It then chooses pa- 
rameters 

g* G*, a 0 £z p , a£z£ 

and secret parameter b G, then computes t := e(g, g) b . It outputs public 
parameters 

PP := ( p, G, G t ; g, g ao , g a , t ) 
and master secret key 

Kt := ( 9, g\ g a ) G G n+2 

- Delegate(T J T J . V t , K Vl , V 2 ) takes two subspaces Vi := S{M\,x\) and V2 := 
S{M 2 , X2 ). Since V2 is a subspace of V, we must have M 2 = Mi T and 
x' 2 = Xi + All V for some (efficiently computable) matrix T and vector y. 
We can then compute a key 

K V2 := ( g r , • g ryTM ' °, g rTTM ' 0 ) 

= ( 9 r , g b + ra «+ r ^’ a \ g rM ? a ) 

for V 2 . However, we also need to re-randomize it. To do this, we pick a 
random s <— Z p and compute 

Kv 2 := ( g r ■ g S , gW°*H*»+)> ■ g rMj a . gS M ? a 

= ( g T+S , g b +(r+s)(a 0 +M)^ g (r+s)Mj a ) 

Notice that Vi and V 2 may be the same subspace. In that case, this formula 
translates the secret key between different forms for Vi and re-randomizes 
it. As a result, we are free to choose whatever representation of V we wish. 
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— Encrypt(PP, x, m), where m is encoded as an element of the target group 

Gt, picks a random s and computes a ciphertext 

( 9 s , g s ( a ° + ( sc ’ a '>\ m-t s ) 

— Decrypt(PP,V,Kv,x,c) where c = (ci, 02,03) is the above ciphertext, first 

delegates K v to obtain the key K^y = (jfei, fcg) := ( g r , < ? b + r (°o+(“ ! >“}) it 

then recovers 

c 3 • e(c2,fci) _ m ■ t s ■ e (g,g) rs ( ao+{ - x ' a) _ 
e{ci,k> 2 ) e (g tg yb+rs(a 0 +( X ,a.)) 171 

4.3 Bilinear Decision DifRe-Hellman Exponent 

To prove security we use a generalization of bilinear DifRe-Hellman first proposed 
in jS|. Let G be a group of prime order p, and let g be a, generator of g. Let 
e:GxC-> Gt be a bilinear map, and let n be a positive integer. We define 
the notation g ala ’ b] for integers a < b as 

9 ala ’ b] ■= (g aa , 9 aa+1 , ■ ■ • , 5“”) 

We then define distributions 

Pbddhe := choose: g ^ G*,a Z p , h G*, z *— e(g , h) a " 

output: ^ g a{ °' n 11 , g a[n+1,2n \ h, z'j 

7^-bddhe := choose: g G*, a Z p , h G*, z *— Gt 
output: ^ g al °’ n 11 , g aln+1,2n \ h, z'j 

We define the BDDHE-advantage of a randomized algorithm A : G 2n+1 x Gt — > 
{ 0, 1} as 

BDDHE Adv An (A) := |Pr [ A(x) = 1 : * * Pbddhe ] 

— Pr [ A(x) = 1 : x 72-bddhe j | 

4.4 Proof of Selective Security 

Call the spatial encryption system above S. To make the proof more readable 
we abstract away re-randomization terms in the main proof of security. To do 
so, we divide the proof into two steps: 

— First, we show in Observation [Q that if the system <S is insecure then so is a 
system with rigged randomization parameters (i.e. a system where ao, a, b, r 
and s are chosen non- uniformly). This step is straightforward. 
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— Second, we show in Theorem Q] that a specific rigging of the randomization 
parameters in S is secure. The combination of these two steps implies that 
S is secure. 

We believe that hiding re-randomization terms in the main simulation makes 
the proof easier to understand. 

Observation 1 (Rigged parameters). Let S' be identical to S except that 
ao , a, b, the r in delegation queries and the s in the challenge ciphertext are 
chosen by some algorithm rather than uniformly at random. Then for any V- 
adversary A against S, there is is a V-adversary B against S' , running in about 
the same time as A, such that 

VAdv^ (5 ,„)(A) = VAdv BM(5 , A) (A) 

Proof. The adversary B runs A, but re-randomizes M’s queries and the simu- 
lator’s responses. More concretely, at setup time B chooses uniformly random 
a' 0 Z p , a' Z p , b' Z p . It sends A the public parameters 

( P , G, G t ; g , g ao+a '°, g a+a , t-e(g,g) b ' ) 

B then adjusts M’s queries to match these public parameters. For example, when 
A makes a delegation query, B passes the query through directly to the chal- 
lenger. Given the response 

(V, /+™0+^,a> ) g rM-a^ 

B computes a new key 

( 9% • / ■ foTW-’T g rM a ■ («"'•' ) 

B re-randomizes it using Delegate, and returns it to A. 

Because M’s view of the parameters is uniformly random, it is attacking the 
system S. At the end, B will win its iS'-game if and only if M wins its <S-game, so 

VAdv^ (5 ,„)(A) = VAdv BWS , A) (A) 

as claimed. 

We now proceed to the selective-security game. Here we prove that spatial 
encryption is selectively CPA secure so long as the BDDHE-problem is hard 
onG. 

Theorem 1. Let A be any non- anonymous, selective CPA adversary against 
S. Then there is a BDDHE-adversary B, running in about the same time as A, 
such that: 

BDDHE Advg >n+ i (A) = i • (NonAnon, Sel, CPA)Adv_ 4 „ (5 n) (A) 
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Proof. We first use the above observation to construct an ^'-adversary A! with 
the same advantage as A. Our proof then follows by direct reduction. The sim- 
ulator B takes p,G,Gx and (g , “ I °’ nl , g aln+2 ' 2 " +2] , h, z) from the BDDHE prob- 
lem above. For the setup phase, B passes to A! the policy parameters x = 
(p, G,Gr,n). Upon receiving the intended target policy v, the simulator sets 

a = a^’ n \ ao = —(v,a), b=a n+1 

Note that while B cannot efficiently compute a, ao or b, it can compute g a ,g a ° 
and e(g,g) b which are all it needs to present the public parameters to A'. 

To answer delegation queries for a subspace V = Aff (M,x), the simulator 
finds a vector u = (u\,U 2 , ■ ■ ■ ,u n ) T such that M T u = 0, but ( x — v,u) ^ 0. 
Such a u must exist since v £ V, and it can easily be found by the Gram-Schmidt 
process. The simulator then formally sets 

_ uia n + U 2 a n - 1 + . . . + u n a 
( x — v, u) 

Note that while B cannot efficiently compute r, it can compute g T . Now, for 
any vector y, the coefficient of the missing term a n+1 in r ( y , a) is exactly 
(y,u)/(x — v, u). Therefore, rM T a is a vector of polynomials in a of degree 
at most 2 n, and the coefficient of a n+1 is zero by the choice of u. Therefore 
B can compute g rM ~ a efficiently from g al °’ n] and g aln+2 ’ 2n] . Similarly, B can 
compute 

gb -r(ao-r<«,a» = g a n +r{v- X ,a) 

= g a n +P(.cx)+{v-*,-u)cx n /{*-v, U ) 


where P(a) has degree 2 n and a zero coefficient on the a n+1 term. B uses this 
technique to answer delegation queries during both query phases. 

To construct a challenge ciphertext for the message to*, the simulator formally 
sets s = log ff h, returning c = (h,z ■ to). 

B returns 1 if A! guesses correctly, and 0 otherwise. Now, if z = e{g, h) a " , 
this is a valid challenge ciphertext, so A! wins with probability 

^ ^ • (NonAnon, Sel, CPA)Adv_ 4 ,^ (5 , A) (A) 

On the other hand, if 2 is random, then so is c and A! wins with probability 
As a result, 

BDDHEAdv B , n+ i(A) = ^ • (NonAnon, Sel, CPA) Adv^^^, ^ (A) 

= ^ • (NonAnon, Sel, CPA)Adv_ 4 ^ (5 n) (A) 


as claimed. 
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4.5 Extensions to Spatial Encryption 

Short Public Parameters. The public parameters g, g a ° and g a in spatial 
encryption consist of uniformly random elements of G (with the caveat that g yt 
1). Therefore, given a random-oracle hash H : [l,n + 2] — * G, these parameters 
can be omitted. 

Policy Delegation. It may be desirable to re-encrypt a message from a policy 
7r to a more restrictive policy n'. A simple model of this is to make V&1Z into a 
partially-ordered set. We say that 7r y tt' if n' can be delegated to n, and p y it 
if open(p, 7 r). The bottom 1 G V of the partially ordered set represents plaintext 
or plaintext-equivalent, i.e. a policy which anyone can decrypt. Then encryption 
becomes a special case of policy delegation, just as key generation is a special 
case of delegation. 

We can implement policy delegation in spatial encryption by allowing encryp- 
tions to any affine subspace W = Aff(M, x) C Z”. This can be decrypted by a 
key Ky if and only if V fl W 7 ^ 0. The encryptions look much like the private 
keys in Section 14.21 



This allows us to construct dual systems for many of the systems in Section 0 
in which policies and roles are transposed. It also enables us to turn co-inclusive 
encryption into a k-of-n threshold system. 

However, ciphertexts for the policy-delegated systems are no longer constant- 
size: their size is instead proportional to the dimension of the policy as a subspace 
of Zp . Furthermore, while the proof given in Section FTTl sdll holds, the limitations 
of selective security seem much stronger: the adversary must choose a subspace 
to attack ahead of time. 

5 Future Work 

The biggest drawback of cryptosystems derived from spatial encryption is that 
our proof only shows selective security. We leave as a significant open problem 
the construction of a fully-secure spatial encryption system under a compact, 
refutable assumption (preferably one simpler than our BDDHE assumption). 
Since most of the systems derived in this paper can be constructed through 
inclusive IBE, a fully-secure inclusive system would be almost as strong a result. 
We note that Gentry’s recent fully-secure “key-randomizable broadcast IBE” m 
is nearly identical to our inclusive IBE, except that Gentry’s adversary is only 
allowed to issue delegation requests for singleton identities. This result suggests 
that a fully-secure inclusive IBE system is within reach. 

Another important challenge is to reduce the the size of the secret keys. Our 
current construction requires users to store 0(n log A) bits of sensitive informa- 
tion in memory and on disk, which may be challenging in some scenarios. 
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6 Conclusions 

We presented GIBE, a general framework for viewing identity-based and broad- 
cast encryption systems. We also constructed a spatial encryption system, which 
is an important instance of GIBE. Spatial encryption supports a product rule 
which enables us to easily construct systems with various encryption properties. 
One result of spatial encryption is broadcast HIBE with short ciphertexts. 

A natural open problem is to constuct a spatial encryption system where both 
ciphertexts and private keys are short. Perhaps the techniques in 0 or m can 
be used towards this goal. 

Acknowledgement 

Special thanks to Adam Barth for helpful discussions on multi-authority email 
encryption. 

References 

1. Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malone- 
Lee, J., Neven, G., Paillier, P., Shi, H.: Searchable encryption revisited: Consis- 
tency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.) 
CRYPTO 2005. LNCS, vol. 3621, pp. 205-222. Springer, Heidelberg (2005) 

2. Boneh, D., Boyen, X., Goh, E.: Hierarchical identity based encryption with constant 
size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 
440-456. Springer, Heidelberg (2005) 

3. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from 
identity-based encryption. SIAM J. of Computing (SICOMP) 36(5), 915-942 
(2006) 

4. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM 
Journal of Computing 32(3), 586-615 (2003); Extended abstract in Crypto 2001 

5. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with 
short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, 
vol. 3621, pp. 258-275. Springer, Heidelberg (2005) 

6. Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. 
In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535-554. Springer, Heidel- 
berg (2007) 

7. Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. 
Journal of Cryptology 20(3), 265-294 (2007); Early version in Eurocrypt 2003 

8. Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in ad- 
hoc groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, 
vol. 3027, pp. 609-626. Springer, Heidelberg (2004) 

9. Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. 
LNCS, vol. 773, pp. 480-491. Springer, Heidelberg (1994) 

10. Gentry, C.: Hierarchial identity based encryption with polynomially many levels. 
Personal communications (2008) 

11. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) 
ASIACRYPT 2002. LNCS, vol. 2501, pp. 548-566. Springer, Heidelberg (2002) 


470 D. Boneh and M. Hamburg 


12. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine- 
grained access control of encrypted data. In: Proceedings of ACM CCS 2006 (2006) 

13. Horwitz, J., Lynn, B.: Towards hierarchical identity-based encryption. In: Knudsen, 
L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466-481. Springer, Heidelberg 
(2002) 

14. Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, poly- 
nomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. 
LNCS, vol. 4965, pp. 146-162. Springer, Heidelberg (2008) 

15. Rivest, R., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) 
ASIACRYPT 2001. LNCS, vol. 2248, pp. 552-565. Springer, Heidelberg (2001) 

16. Sakai, R., Furukawa, J.: Identity-based broadcast encryption (2007), 
http : / / eprint . iacr . org/2007/217 

17. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., 
Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47-53. Springer, Heidelberg 
(1985) 

18. Zhang, F., Kim, K.: ID-based blind signature and ring signature from pairings. 
In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 533-547. Springer, 
Heidelberg (2002) 


Speeding Up the Pollard Rho Method 
on Prime Fields 


Jung Hee Cheon, Jin Hong, and Minkyu Kim 

ISaC and Department of Mathematical Sciences 
Seoul National University, Seoul 151-747, Korea 
{ jhcheon, j inhong, minkyu97}@snu. ac . kr 


Abstract. We propose a method to speed up the r-adding walk on mul- 
tiplicative subgroups of the prime field. The r-adding walk is an iterating 
function used with the Pollard rho algorithm and is known to require less 
iterations than Pollard’s original iterating function in reaching a collision. 
Our main idea is to follow through the r-adding walk with only partial 
information about the nodes reached. 

The trail traveled by the proposed method is a normal r-adding walk, 
but with significantly reduced execution time for each iteration. While 
a single iteration of most r-adding walks on F p require a multiplication 
of two integers of log p size, the proposed method requires an operation 
of complexity only linear in log p, using a pre-computed table of size 
0((logp) r+1 • log log p) . In practice, our rudimentary implementation of 
the proposed method increased the speed of Pollard rho with r-adding 
walks by a factor of more than 10 for 1024-bit random primes p. 

Keywords: Pollard rho, r-adding walk, discrete logarithm problem, 
prime field. 


1 Introduction 

Let G be a finite cyclic group of order q generated by g. Given h e G, the 
discrete logarithm problem (DLP) over G is to find the smallest non-negative 
integer x such that g x = h. The answer x is called the discrete logarithm of 
h to the base g , and is denoted by log fl h. Along with the integer factorization 
problem, the DLP is one of two most important mathematical primitives in 
public key cryptography and its hardness is the basis of various cryptosystems 
such as Difhe-Hellman key agreement protocol 0, ElGamal cryptosystem 0], 
and signature schemes 0. 0] ■ 

Many of these systems, including the Digital Signature Standard 0, are im- 
plemented on a multiplicative subgroup G of prime order q of a prime field F p . 
In such a setting, the index calculus method |]J determines the size of p to be 
used, but the size of q is set by the Pollard rho method 0 . 

In this work, we use the r-adding walk style of iterating function for the 
Pollard rho method, which is known to require less iterations before collision 
than Pollard’s original iterating function. In an r-adding walk, a set Af of r 
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random elements from G is first fixed. Given the i-th element < 7 ,; £ G of the 
walk, the ( i + l)-th element gi + 1 is defined to be the product of g t and an 
element M s G M, whose choice is given by the index s = s(< 7 ,;), a function of 
gi . Our idea is to define the index function s in such a way that s(<?j+i) can 
be computed from g t and M s ( g .y without fully computing the product f/i+i = 
9iM s ( g .y In the next iteration, < 7,^2 = gi+i ■ M S ( !H+1 ) is considered as a product of 
gi and My g yM s ( gi+1 ), with the second term taken from a pre-computed table of 
products among M elements. Thus, . 3 (^+ 2 ) is computed without fully computing 
gi. j_ 2 . More generally, we prepare a table Me '■= (A4 U{1})^ of t products from M 
and a full product computation is done when we reach i iterations. Our method 
can be used with the distinguished points 0 collision detection method, and 
hence allows efficient parallelization, as with the original Pollard rho, i.e., n times 
speedup with n processors 0 - 

The proposed method produces a normal r-adding walk trail, and hence 
should reach a collision and solve DLP in the same number of steps as with 
any other r-adding walk, but the execution time of each iteration is signifi- 
cantly reduced. For 1024-bit random primes p the proposed algorithm replaces 
a multiplication of two 1024-bit words by 64 multiplications between a 16-bit 
word and a 32-bit word, and our rudimentary implementation of the proposed 
method was faster than the usual r-adding walks by a factor of more than 10. 
An incremental use of this algorithm will reduce each iteration of the original 
r-adding walk on G C F* from one multiplication of integers of logp size to 
an operation of complexity linear in log p, using a pre-computed table of size 
0((\ogp) r+1 • log log p) . 

Previous Works. The fastest algorithm for the DLP on a finite field F p is the 
index calculus method whose complexity is sub-exponential in the size of the 
base field [ 3 ]. Since the performance of the method depends on the size of the 
base field, this method has the same performance on any subgroup of F* . If the 
subgroup has a composite order, we can use Pohlig and Heilman 0 algorithm 
to reduce the DLP in the subgroup to the DLP in its prime order subgroups. 

For prime-order cyclic groups G, including multiplicative subgroups of suf- 
ficiently large finite fields, the first non-trivial algorithm solving the DLP was 
the Baby-Step Giant-Step method suggested by Shanks 0 . It requires 0(^/q) 
operations and memory to work on an abelian group of order q. Pollard 0 pro- 
posed a probabilistic algorithm, called the Pollard rho method, with the same 
complexity, but requiring only small size of memory. There have been several 
variants proposing different collision detection methods 1,00 and iterating 
functions jlTI . 0] . An efficient parallelization of Pollard rho was developed by 
van Oorschot and Wiener 0 using distinguished points. For (hyper-)elliptic 
curves with fast endomorphisms, more efficient variants of Pollard rho methods 
are known 1 , 0 , 0 . 

Organization. In Section 2, we introduce the Pollard rho method, r-adding 
walks, and the distinguished point collision detection method. In Section 3, we 
propose Tag Tracing, a method to speed up Pollard rho. In Section 4, we apply 
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this to prime fields and analyze its complexity. Also, we present some imple- 
mentation result for 1024-bit primes. In Section 5, we estimate the asymptotic 
complexity of our algorithm when it is used incrementally. Section 6 concludes 
this paper. Tag tracing on binary fields is briefly treated in Appendix El 

2 Pollard Rho Algorithm 

To set the basis of our discussion and fix notation, we will quickly review variants 
of the Pollard rho method in this section. Readers should consult the original 
papers for any detail. Throughout this paper G = { g ) will be a finite cyclic group 
of prime order q, on which we wish to solve a discrete logarithm problem. 


2.1 Function Iteration and Collision 

Given any function f : G —* G, we can create a sequence (gi)i>o by iteratively 
defining 

9i+i=f(9i) (*> 0), 

starting from a random starting point go G G. Because G is a finite set, this 
sequence is eventually periodic. The smallest integers p > 0 and A > 1 satisfying 
gx+n = g,i are said to be the pre-period and period of the sequence (gi)i>o, 
respectively. 

When the function / is chosen uniformly at random from the set of all func- 
tions sending G to G, the value X + p is expected to be \J rq/2 ~ 1.253y^. Each 
variant of Pollard rho method provides an iterating function f and a method to 
detect a collision, i.e., the happening of (ji = g 3 with i ^ j. 

Suppose we are trying to solve for log g h. Given any element y G G, there are 
many ways to write it in the exponent form y = g a h b . Let us say that a function 
/ : G —> G is exponent traceable, or allows exponent tracing, with respect to g 
and h, if it is possible to express the function in the form 

f(g a h b ) = g^h^ a ’ b \ 

with some (simple) functions f g and fh of the exponents. For example, if / was 
the squaring function on G, we could set f g {a, b) = 2 a and fh(a, b) = 2b. 

The iterating function of a Pollard rho algorithm variant is always chosen in 
such a way that it is exponent traceable. Thus, starting from go = g a °h b °, with 
randomly chosen, but known, (ao, bo), we can always keep track of the exponents 
(ai, bi) satisfying g, = g ai h bi . Then, when a collision (ji = g.j is detected, setting 
x = log 9 h, we know g' H (g x ) bi = g aj (g x ) bj , so we can use 

ai + x ■ bi = aj + x ■ bj (mod q) 


to solve for x. 
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2.2 Iterating Functions 

An iterating function is taken to be of good design if the number of iterations 
it takes to reach a collision is close to y/nq/2, the value expected of a random 
function. 

Pollard. Pollard m originally targeted the DLP on ( Z/pZ )*, but his iterating 
function, which we shall denote as fp:G—> G, can be modified for use on any 
cyclic group. Let G = T 0 U T\ U T 2 be a partition of G into nearly equal sized 
subsets. The iterating function is defined as follows. 



fp(y)=ly 2 , if y € T% t 

[hy, if yeT 2 . 


It is clear that this allows exponent tracing. For example, when g a h b £ To, we 
have ( fp) g (a , b ) = a+ 1 and ( fp)h{a , b) = b. Tests have shown that it takes more 
than ^irq/2 iterations for fp to reach a collision 00, so that fp is not an 
optimal choice for an iterating function. 

r-adding walks. Let 3 < r < 100 be a small positive integer and let G = 
T 0 U ■ ■ • U T r _ 1 be a partition of G into r-many subsets of roughly the same size. 
The index function s : G — >• {0, 1, . . . , r — 1} is defined by setting s(y) = s for 
y £ T s . For each s = 0, . . . , r — 1, randomly choose integers rn s . n s £ Z/<yZ and 
set the multipliers to M s = g rn ° h n ‘ . The iterating function is given by 


f T (y) = yM s{v) . 


That is, one of the r-many fixed elements M s £ G is multiplied, depending on 
which subset T s the input belongs to. This is clearly exponent traceable, with 
the exponent functions being addition by m s and n s . The name r-adding refers 
to the additions. 

This method was introduced in H3] and the work m shows that any r > 8 
will suffice for cyclic groups. Testing 0 on cyclic elliptic curve groups show 
that 20-adding walks perform very close to a random function. 

2.3 Collision Detection 

The main issues with collision detection is to detect a collision with minimal 
number of additional iterating function applications after collision occurs, and 
with a small amount of memory. There have been several proposals on colli- 
sion detection methods by Floyd j§], Brent j3], Sedgewick-Szymanski-Yao [03], 
Quisquater-Delescaille and Nivasch Q- 

Among them, the method using distinguished points by Quisquater and De- 
lescaille [bj] is regarded as the most efficient one. This was originally an idea 
for use with time-memory trade-off techniques. Distinguished points are those 
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elements of G that satisfy a certain condition, which is easy to check. For exam- 
ple, with a fixed encoding for G, we may set them to be those elements with a 
certain number of starting bits equal to zero. 

After each application of the iterating function, the current g t is stored in a 
table, if it is a distinguished point. The algorithm terminates when a collision 
is found among the distinguished points. The distinguished points should be 
defined so that this table is of manageable size. 

Let 6 be the fraction of elements in G which satisfy the distinguishing prop- 
erty. The algorithm is expected to terminate with a collision after \Jtu}/2 + 1/6 
applications of the iterating function. 

This method has the advantage that it can lead to n-times speedup with 
n-processor parallelization E2- 

3 Tag Tracing 

Let us recall the r-adding walk iterating function fr. Given an input g- t £ G, 
it first determines the index s = s(gi), and produces g r +-\ = QiM s € G as the 
output. Occasionally, the output giM s is placed in a table of small size. 

Notice that the storing operation is not very frequent. So, one may question 
whether computing the product <?jM s is really necessary at every iteration. Of 
course, iterated applications of fr require current gt to be available, but this 
is avoidable if we have a pre-computed table of suitably many products of M s . 
Then it suffices for one to compute just the index at each iteration. We shall 
explore this line of reasoning in this section. 

3.1 Preparation 

As in the r-adding walk, we fix an index set S = {0, 1, . . . , r — 1} for some small 
r and let M = {M s = g rris h Us } se s be a multiplier set for the r-adding walk. Fix 
a small positive number £ and consider the product set Me = (M U {1})^, i.e., 
the set of products of at most £-many M a . Notice that we know how to write 
each element of Me in the form g m h n . We shall treat the set Me as a table of 
elements of G, listed together with their respective exponent forms. 

For our tag tracing approach to the DLP, we want to pre-compute Me before 
going into the actual r-adding walk, and the following two lemmas show the 
range of r and £ one may choose, depending on the resources available. 

Lemma 1. The size of Me is at most ( e + r ) ■ 

Proof. The size of Me is bounded above by the number of combinations with 
repetitions, where one chooses £ times from the set M U {1} of size r + 1. The 
bound is reached only if all product elements produced are distinct. □ 

Lemma 2. The set Me can be constructed in ( e + r ) — 1 multiplications in G. 
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Proof. Consider the complete r- ary tree structure of depth £. Label each edge 
with an index from S in such a way that from each node, the r edges extending 
to its children nodes are labeled with different indices. We label the root node 
with 1 £ G and label each node below with the element of Me which is the 
product of multipliers labeled by edges on its way down. 

The nodes of the complete r - ary tree will contain multiple copies of Me- It 
is clear that if we collect just the nodes with paths to the root that are labeled 
in non-decreasing order, then we will obtain one copy of Me- As the number 
of edges leading to these nodes is one less than the number of these nodes, and 
since each edge corresponds to one multiplication used in creation of node labels, 
we arrive at our claim. □ 

Some example values would be (®q) ~ 2 63/2 for 20-adding walks with i = 64, and 
( 8 ) ~ 2 33 4 for 8-adding walks with i = 64. As Me can only be computed after 
h, whose discrete logarithm we are looking for, is given, we do not want these 
pre-computation complexities to go over our main attack complexity. 

We now fix a tag set T together with three functions. 

t-.G^T. 

t : G x Me -»TU {fail}. 

a : T — > <S = {0, 1, . . . , r — 1}. 

The first function r is named the tag function. We define the index function 
s:G— ><Stobes = croT and also consider the function s = a o f : G x Me — > 
<S U {fail}. The three functions above are to be chosen so that they satisfy the 
following condition. 

1. The index function s = got is surjective and roughly pre-image uniform, i.e., 
grouping G according to its image points under s partitions G into subsets 
of roughly the same size. 

2. When s(g, M) e S, we have s(g, M) = s(g ■ M). In particular, any successful 
output of s depends only on the product of its inputs. 

So we are looking for a function r that resembles a normal index function, but 
with a larger image set, and also another way t to evaluate r on product of 
group elements. 

The situation we have in mind concerning r and r is as follows. Given a 
random M £ Me and g £ G, the expected time for calculation of f(g. M) is 
smaller than the time needed for computation of the product M ■ g. The general 
thought behind this is that it should take less effort to obtain some partial 
information about a product than the full product itself. For example, consider 
the case GcF f x and define r(g) to be the most significant k bits of g £ G. 
Intuitively, computing k bits out of the log p bits of product gM may take as 
little as of the time for full product computation. If some of the product 
bits were easier to calculate than others, the time could be even shorter. 

We shall denote the expected time for s(g,M ) evaluation by |s|. 
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3.2 Iterating Function 

The iterating function of our tag tracing algorithm will follow the usual r-adding 
walks. We have already fixed an index set S = {0, 1, . . . , r — 1} with an appro- 
priate index function s = a or and a multiplier set M during the preparation 
phase. 

We start with a random go £ G and the first index so = s(ffo) is computed. 
We set gi = goM So , exactly as in the normal r-adding walk process, but the 
product goM So is not computed. Instead, s(go, M Sa ) is computed in time |s|. If 
s(go, M So ) £ S, we have computed 

si = s(gi) = s(g 0 M So ) = s(g 0 ,M So ). 

We have not fully computed gi, but can set gi = giM Sl = g 0 M So M Sl , which is, 
once again, not computed. 

Now, since M S0 M S1 £ Me is an element which has been pre-computed, we 
can evaluate s(go, M So M Sl ) in time |s|. This leads us to index value S 2 and we 
can continue as before. 

If we come across the situation s(go, M So ■ ■ ■ M Sk ) ^ S, or arrive at £ iterations 
of the above process, we do a full product computation. That is, we compute 
gk+i = goM So ■ ■ ■ M Sk and let this replace the role go has taken up to that 
iteration. Notice that this full product requires just one multiplication, since 
M So ■ ■ ■ M Sk £ Me has been pre-computed. 

Notice that since the set Me is a table of elements of G, listed together with 
its respective exponent forms, the above process is fully exponent traceable. 


3.3 Collision Detection 

To complete the description of the tag tracing method, we need to check if is 
possible to detect collisions. The distinguished point method is well suited for 
our tag tracing. 

Usually, the distinguished points is defined to be points with a certain number 
of starting bits equal to zero, under a fixed encoding. With tag tracing, we use 
this usual definition, but for more efficiency, impose an additional condition to 
be satisfied. This extra condition is set to depend on the tag value r(g) in such 
a way that it can only be satisfied when f(g', M') (fi T for every g' and M' such 
that g = g'M'. Then, whenever there is a chance of some gi being a distinguished 
point, we would already have the full form for g^ and there are no additional 
full product computations involved in relation to collision detection. With the 
extra condition on the tag, the original condition can be relaxed to maintain the 
number of distinguished points. 

3.4 Complexity Analysis 

Let us make a rough time complexity comparison of our tag tracing with the orig- 
inal r-adding walks. The storage complexity of tag tracing is given by Lemma ^ 
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We can assume that the various parameters for tag tracing has been chosen 
so that the time taken for preparation, given by Lemma El is insignificant com- 
pared to the main function iterations. We shall also not include efforts needed 
in following through the exponents needed in final computation of the discrete 
logarithm. 

Consider the time taken to do a full product computation in G. This will 
be almost equal to |/t|, the time taken for one iteration of the r-adding walk. 
Even though this time will depend on the encoding for G, we shall assume that 
computation of full product in our tag tracing also requires time \fr\- 

Recalling the notation |s| introduced earlier, we can restate one of our re- 
quirements on t as < 1. It is now easy to see that a single iteration of tag 
tracing is expected to take time 

(1) 


|5| + ( 7 + Pfail)|/T], 


at the most, where Pf a n is the probability of reaching s value not in S. 

The expected running time of tag tracing is the above value multiplied by 
the number of iterations required for a normal r-adding walk style algorithm. 
Hence the ratio of running time between tag tracing and a normal r-adding walk 
would be 


1*1 


1 


If this is less than 1, we have a reduction in discrete logarithm solving time. 
As discussed earlier, it should be possible to find r and f such that s is much 
smaller than |/t|, making the above a meaningful reduction in time. 

4 Application to Prime Fields and Its Implementation 

Throughout this section, p will be a prime and G = (g) C F* will be a cyclic 
group of order q. We will show how to apply the proposed tag tracing algorithm 
to G and present some implementation results. Tag tracing on subgroups of the 
binary field, which is quite similar, is dealt in Appendix 0 


4.1 Parameter Setup 

We fix the index set size r and the multiplier product pre-computation length 
i in such a way that the time and storage complexities given by Lemma Q and 
Lemma El are manageable. The tag set T = {0,1,2, .. . , T — 1} is taken to be of 
size T = r ■ b, a multiple of r. We take a positive integer e and set d = [log E p] . 
Then we choose integer lo' > d(e - 1) + 1. We use the notation oj = T : J and 
assume that u ) < pz. 

Optimal choice for these parameters will depend on many factor including the 
size of prime p, resources available, and the speed of large integer multiplications. 
The parameter set below with £ = 128 may be appropriate for use on a modern 
PC when primes p is of 1024-bit size. Readers may keep these in mind to facilitate 
understanding of further material. 
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u> = 2 32 


T = 2 10 


a/ = 2 22 

r = 4 b = 2 8 

. d= 2 6 

£ = 2 16 


4.2 Tag Function 

Our assumption w < p3 implies that we may always choose integer B > ps such 
that 0 < u)B — p < -B 5 . For example, setting B = \p/uf\ should always work. 
We fix any such B and define the tag function r : G — > T as 



where we are using “x mod y” to denote the unique integer between 0 and y - I 
that is congruent to x modulo y. Notice that 0 < ljB — p implies < T, 
so that the above quotient indeed lies in T = {0, 1, . . . ,T — 1}. We also define 
a : T — > S = {0, 1, . . . , r — 1} as a(x) = [x/b\ and this fixes the index function 
s = (tot:G^S. 

The following lemma shows that we can expect r to be roughly pre-image 
uniform. 

Lemma 3. If variable x is uniformly distributed over F p , then the probability 
distribution of r(x) over T is almost uniform in the sense that 

|Prob[r(x) = k] — Prob[r(x) = fc'jj < 


for any k, k' £ T. 

Proof. We view r as having been defined on all of F p . Note that p := Tui'B—p = 
u)B — p < -Bs < u>'B. This implies that for each fixed k = 0, . . . ,T — 2, there 
are exactly cv'B elements 0 < x < p with r(x) = k and that there are u>’B — p 
elements satisfying r(x) = T— 1. Thus the maximal difference between pre-image 
sizes is p. Notice that the condition uiB — p < B? implies B < p. The maximal 
probability difference can now be seen to be less than p/p < B^ /p < p~ 2 . □ 

Since the condition T = r ■ b makes a exactly pre-image uniform, the above 
lemma holds even when r(x) is replaced by s(x), and we can state the following. 

Proposition 1. Assuming that the elements of G are uniformly distributed over 
F p , we can expect the index function s to be roughly pre-image uniform. 


4.3 Auxiliary Functions 

We should now present the auxiliary function t : G x Aie —> T U {fail} which is 
essentially equal to r. 
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Given x, y G F p , we can always write 

x = ^x i e i (0 < Xi <e) 


and, for each 0 <i < d— l,we can write 


e*y mod p = i/iB + fn 
Using this notation, we define 


(0 < yi < - 


B 


w, 0 < y t < B). 


r(x,y) 


Y7j= Q x iVi mod <■ 


( 3 ) 


( 4 ) 


Let us check how close r(x,y) is to r(xy). 

Lemma 4. Given x, y G F p , we have r(x y) = r(x, y) or f(x, y) + 1, unless 
f(x.y)=T - 1. 


Proof. Before going into the proof, for easy reference, let us recall some of the 
conditions that were placed on the parameters: d(e L) < uj': uj = Tui': uj < 
pi < Bi \ ujB — p < Bi \ 

We start by writing 

Y Xiyi = a20J + aiuj' + ao, 
i= 0 

where the coefiicients ao, ai, and 02 are to be obtained through usual integer 
divisions. In particular, we have 02 < d ^~ v )G‘~ 1 ) < d(s - 1) < u’ < w < Bi. It 
should also be noted that a\ = r(x, y). 

In the above notation, we may write 

x y = Y Xi£Z y ~ ( ^2 B + ^2 Xi & ( mod P> 

i= 0 i= 0 i=0 

= a\bj' B + aoB + a 2 (wB — p) + Xifu (mod p) . 

The various conditions allow us to bound the lower terms by 


a 0 B + a 2 (uj B - p) + ^ x t yi 


i=0 

< {J - 1)5 + Bi Bi + d(e - 1 )(B 

< uj'B + {J - 1)5 = 2 u’B - B. 


1) 
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Now, if di = f (x, y) is strictly less than T — 1, then 


ai JB + ao-B + <Z2(w.B -p) + ^ Xijji 
i = 0 

< (T - 2 )ui'B + 2u/B — B = wB — B <p. 
So, when r(x, y) ^ T — 1, we know 

xy mod p = auv'B + jao-B + a 2 (^-B - p) + ^ | . 


Finally, since the sum of terms inside the braces is non-negative and strictly 
less than 2 w'B, the quotient of xy mod p divided by u'B must be either ai or 

Ol + 1. □ 


Based on this lemma, we define r : G x A4( ->TU {fail} as follows. 


r(g,M) = 


fail 


if r(g, M) mod b is either 6—1 
if otherwise. 


6 - 2 , 


Recalling the definitions a(x) = [x/b \ , s = a or, and s = a or, it is now easy 
to show the following proposition. 


Proposition 2. When r(g,M) £ T and hence s(g,M) £ S, we have s(g-M) = 
s(g, M) and r(gM) mod 6^6—1. 

Proof. We note that T — 1 mod 6 = 6—1, so that Lemma 0 together with 
f(g, M) mod 6^6—1 implies r(gM) = f(g, M) or f(g, M ) + 1. 

Now, this together with the condition that f(g, M ) mod 6 is neither 6—1 nor 
6 — 2 implies r(gM) mod 6^6—1. 

In addition, we have f(g, M) = f(g, M and f(g, M) mod 6^6—1 implies 


Lf( 5 ,M)/6J = L(r(ff,M) + l)/6J, 
which must be s(g ■ M). 


□ 


4.4 Tag Tracing 

We are now ready to start tag tracing. Using the proof of Lemma El as a hint, 
we compute a table containing entries (M, m, n) for M = g m h n £ Me- We also 
append the associated vector 


b{m)= Q: 


| e°M mod p | 

| e d 1 M mod p | ’ 

1 B .I’ - ' 

”’L B \. 


to each entry of the table. Notice that these are the f)i appearing in equation (0 . 
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We can now follow the discussion of Section 1,4.21 to compute each iteration of 
tag tracing. The elements of G are written in e-ary representation so that we may 
quickly compute s using equation dK and Proposition El Whenever we reach i 
iterations or an s calculation failure, the complete product g- t is computed using 
one group multiplication. A point g G G is defined to be a distinguished points 
only if r(g) mod 6=6—1 and if it satisfies some additional on g. According to 
Proposition El g • M can be a distinguished point only when fig, M) ^ T. 


4.5 Implementation 

We have tested tag tracing with an implementation on a modern PC and com- 
pared it with a normal 20-adding walk. Both the tag tracing and 20-adding walks 
were set to use distinguished points for collision detection. We used the finite 
field arithmetics provided by the NTL library to implement the 20-adding 
walk, so as not to be biased. Throughout the test, prime p was taken to be of 
1024-bit size, and whenever random primes p, q and {g) C F* of order q was 
needed, they were generated in the style specified for DSA Q. 

After comparing rho lengths of r-adding walks for various r, we opted to use 
r = 4 for tag tracing, as we did not have much memory available. Compared to 
the 20-adding walk, our tag tracing with r = 4 will have approximately 1.3 times 
longer rho length. This is explained in Appendix 0 Other parameters were set 
to 6 = 2 8 , e = 2 16 , T = 2 10 , J = 2 22 , and ui = 2 32 . 

For speed comparison, we chose q to be of 160-bit size and ran both the 20- 
adding walk and tag tracing for 2 28 iterations. For tag tracing this was done 
for various choices of £, with a set of randomly chosen primes p and q, group 
generator g, DLP target h, adding walk multipliers M s , and initial starting point. 
Timings are listed in Tabled The size (^+ r ) • ((1 + |M|/!ej|)§p|| + 2||g||) of table 
Me and its preparation time is also listed, where the || • || notation has been used 
for bit length. The corresponding time, averaged over 10 randomly generated 
starting points was 1071.4 seconds for the 20-adding walk. 

The table shows that the speed of tag tracing iteration can be over 15 times 
faster than that of a 20-adding walk. Since the rho length of a 4-adding walk 
is 1.3 times longer than that of a 20-adding walk, this translates to tag tracing 
being more than 11.5 times faster than a 20-adding walk in solving DLP. 

Table □ is also interesting in that it reflects the complexity estimate given by 
equation ©■ Larger £ imply smaller number of full product computation and 


Table 1 . Tag tracing timing for 2 28 iterations (||§f = 160) 


£ 

10 

20 

30 

40 

50 

60 

70 

80 

90 

100 

PI (^c) 

156.6 

91.8 

75.0 

70.5 

70.3 

70.0 

70.8 

71.6 

72.6 

73.9 

\M/\s\ 

6.8 

11.7 

14.3 

15.2 

15.2 

15.3 

15.1 

15.0 

14.8 

14.5 

Me size (MB) 

0.4 

4.3 

18.8 

54.9 

127.9 

256.9 

465.3 

780.2 

1233.1 

1859.3 

Me comp time (sec) 

0.21 

2.27 

9.90 

29.1 

68.0 

137 

245 

414 

650 

983 
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Table 2. Full running time comparison of tag tracing and 20-adding walks 



Ml = 35 

Ik II = 40 

Ml = 45 

Ml = 50 

Ml = 55 

Pollard rho 

1.103 sec 

6.272 sec 

38.738 sec 

203.138 sec 

1185.578 sec 

20- adding 

0.940 sec 

5.174 sec 

29.653 sec 

159.977 sec 

959.027 sec 

tag tracing 

0.093 sec 

0.441 sec 

2.634 sec 

13.481 sec 

80.785 sec 

Pollard rho/ tag tracing 

11.89 

14.24 

14.70 

15.07 

14.68 

20-adding/tag tracing 

10.14 

11.75 

11.26 

11.87 

11.87 


this results in steep increased speed for £ = 10 ~ 60. The gradual decrease in 
speed after that seems to be from two factors. As we are using b = 2 s , we have 
-Pfaii = 1/2 7 , and the increasing of £ looses effect as we approach l = 2 7 . We 
have experienced through various tweaks that table lookups to Me present a 
considerable fraction of the time taken by a tag tracing iteration. This coupled 
with our poor use of memory is another reason for decrease in speed at high l. In 
any case, unlike our primitive testing, large scale implementation of tag tracing 
will need to use advanced hash table techniques that allow constant time table 
lookups. 

We verified with small q that tag tracing has no problem in solving DLPs. 
Except for the q size, parameters identical to the above were used with £ = 40. 
The timings, averaged over 200 randomly generated starting points and multi- 
plier sets, are given in Table El The figures do not include the approximately 
29 seconds spent on creation of Me- This may seem illogical here, but as table 
creation time does not change much with q, the speed ratio calculated in this 
way will reflect what can be expected of the ratio at large q. The data in Table 
El roughly coincides with our prediction of 11.5 factor speedup. 

5 Asymptotic Complexity 

In this section, we consider the asymptotic complexity of the proposed algorithm 
for large p. We will use Mul(fc) to denote the cost of multiplication modulo an 
integer of fc-bit size. 

Looking at equation 0) and the definition of a, we can check that the cost 
of evaluating the auxiliary index function s is d multiplications modulo u, d— 1 
additions modulo u, and two divisions of integers less than u. Thus, ignoring the 
small fixed number of divisions and the relatively cheaper additions, we can say 
that s evaluation costs approximately dMul(||<u||). Recalling JU, we can write 
the average cost of a single tag tracing iteration as 

dMul(|o;||)+Q + ^)Mul(b||). 

If uj is set to grow with p, this complexity would not be linear in k = ||p||. To 
obtain linear complexity, we perform tag computation in an incremental way, 
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starting with fixed small parameters and recomputing with incrementally larger 
parameters only when the previous attempt fails. Let us explain the procedure 
in more detail. 

We fix r > 4 and b > 2 to be small constants and define t = [log b fcj . We 
take l = &(k), fix £ to a positive integer satisfying e* < p^ /(rk 2 ), and let 
d = [log £ p], as before. Based on these, we prepare a parameter set for each 
index i = 1, ... ,t, as follows: 6* = b l , Tj = rbi, Ei = e\ = d£j, u>i = TiW-, 

Note that does not involve di = [log £ . p ] , allowing each w* to divide 'ui i+ x 
and making each B, an integer. It is possible to check that each set of parameters 
satisfy all conditions set forth on Section 14.11 and Section 14.21 For example, 

< wt = rb t ds t < p's and = dei > dj£i > di(£i — 1) + 1. We can also use 
pi < p/uJt < B t to show 0 < UiBi — p = u> t B t — p < u t < pi < B < Bf . 

For each i, we can define the tag function r* and the index function s t as in 
Section 4, i.e., 



Since b^Bi = b t uj' t B t , we have .s, ; (g) = s t (g), for any i. We already know that 
this common index function is roughly pre-image uniform. 

Let g e G and M £ M(. For each i, we can define fi(g. M) as in Section 
4, which is computed in time dj Mul(||u;j|), and is successful in giving Si(g ■ M) 
with probability 1 — 2/b l . We now use an incremental approach in computing 
the common index si(g ■ M). First, f\ (g ■ M) is computed. If it returns a failure, 
we compute f%(g ■ M), and so on. We stop whenever an output s t (g ■ M) for i < t 
is successfully obtained and move onto the next iteration of tag tracing. The full 
product of g and M is computed if all t attempts fail. 

Then the time complexity of this incremental approach is 

di Mul(M) + ^ MuldM) + • ■ • + Mul(IHI) + (^ + |) Mul(lbl) 

< 2 (^_) 2 Mul(||u; 1 ||)riog £ pl + (J + |) Mul(bl) = 0(\\p\\) = 0(k), 

where we have used the facts uji < w l , d t < |_ d/i\ , t = O(k), b f = 0(k), and that 
Mul(fc) is at most quadratic in k. 

The incremental approach requires t tables and since an entry in the i-th table 
is of di||cui| < log £ ui log p bits, noting that n[=i ^ < £ r = 0{k r ), we can write 
the storage requirement as 

1 + r ^ - log£ w ' logp ^ = °( fcr+1 ' I°g k )~ 


It only remains to consider collision detections. A point g £ G is defined to be 
a distinguished point only if r t (g) mod b 1 = b t — 1 with possibly some additional 
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conditions on g. Because \ji(g)/b l \ = \jt{g)/b t \ and Ti(g) = [Tt(g)/b t ~ l \, we 
have r t (g) mod tf = (ri(g) mod b l ^b t ~‘ l + r t (g) mod From this, we see that 
Tt(g ) mod b f =b t — 1 implies Ti(g) mod b l = b l — 1 for any i. Thus distinguished 
point candidates can be noticed from any 7 \{g,M). 

6 Conclusion 

In this paper, we proposed a method to speed up the Pollard rho algorithm 
on cyclic subgroups of the prime field F p . The proposed algorithm replaces the 
multiplication needed in r-adding walks with an operation of linear complexity. 
As a further work, we would like to generalize our algorithms to elliptic or 
hyperellipic curves. 
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A Performance of 4- Adding Walks 

For r > 3, let us write f r to denotes the r-adding walk iterating function. We 
also write fp for the Pollard’s iterating function. Where as the rho length of a 
function graph on a set of size q is expected to be \Jpqj2 for a random function, 
the actual rho lengths of various f r and fp are a small constant multiple of 
\J nq/2. We shall write C r and Cp for these constants. In this section, we show 
experiment results on these values. During the test, size of p was always set to 
1024 bits, but varying q sizes were used. 

In order to use the iterating functions f r and fp we need to define an index 
function. For each r > 3, the index function s r : F p — » {0,...,r — 1} was 
set to s r (g) = [r ■ (A ■ g mod 1)J, where A is a rational approximation of the 
golden ratio (VE— 1) /2. When A is of sufficient precision, this is known to bring 
about uniform looking distribution 0 . even on non-uniform inputs. For our 
experiment, a precision of 1044 binary places for A is sufficient. 

Estimates for the constants C r and Cp were found as follows. Primes p, q 
and cyclic group generator g of order q in F* were randomly generated in the 
DSA style ja], and the multiplier set was randomly selected. Then the iterating 
function was iterated from a random starting point until the walk intersected 
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Table 3. Experimental rho length constant for various iterating functions 


Ik II 

10 

15 

20 

25 

30 

35 

40 

Cp 

1.244 

1.267 

1.307 

1.289 

1.304 

1.325 

1.312 

c 3 

1.628 

1.830 

2.051 

2.201 

2.408 

2.568 

2.742 

Ci 

1.336 

1.346 

1.328 

1.374 

1.360 

1.368 

1.370 

C a 

1.092 

1.105 

1.072 

1.087 

1.061 

1.098 

1.058 

C20 

0.995 

1.008 

1.036 

1.004 

1.014 

1.047 

1.034 

C4/C20 

1.342 

1.335 

1.282 

1.369 

1.342 

1.308 

1.325 




Fig. 1. Expected rho length constants for /p, and /20 


itself in a rho. The length of the rho was recorded and the process redone with a 
newly generated g. h and multiplier set. This was repeat ed 100 0 times for each 
iterating function. The average rho lengths divided by \J nq/2 are the constant 
C r and Cp, and this is summarized in Table 01 We have also provided graphs 
for some of these in Figure |T| 

It is clear that our data is not very accurate, but it is good enough for one to 
conclude that C 4 /C 20 will not be too different from 1.3, even for large q. 

B Tag Tracing on Binary Fields 

Let us explain how tag tracing can be applied to cyclic subgroups of binary 
fields. We shall be very brief, as much of this case is quite similar to the prime 
field case. 

Fix the binary field to F 2 ™ = F 2 [t]/p(t), where p(t) is an irreducible polyno- 
mial of degree m, so that elements of the cyclic group G C Fj™. may be written 
in the polynomial basis. Adopting the notation used with integers, we shall write 
\pi (t) and pi(t) mod p-iit) to denote the quotient and remainder, respec- 
tively, resulting from the polynomial division of pi(t) by Piit)- 

We fix positive integers u and v, such that v < u < and define the 

polynomial B(t) = \_p{t)/t u \. The tag function r : G — > T = {/ G F 2 [f] | 
deg f <u—v} is defined as 
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r(g(t)) = |^- 


g(t) mod p(t) 

. ‘ B(t) . 


(6) 


Note that this map is surjective and will be roughly pre-image uniform for usual 
choices of G. 

Given an x(t) e F 2 [t], we can write x(t) = JA Xi(t)-t^ v+1 ^, with deg Xi{t) < v. 
Also, given y(t) e F 2 [t], we can write, • y(£) mod p(t) = yi(t) ■ B{t)+yi{t) 

with deg yi(t) <m — u, for each meaningful i. Using this notation, we define the 
auxiliary tag function as 



Then, through careful counting of degrees and argument similar to the proof of 
Lemma 0| one can show that 


r(x(t) -y(t)) =r(x(i),y(t)). 


We emphasize that this is true for any choice of x(i), y(t) G F 2 [i], 

Finally, we view the polynomial set T as the set of non-negative integers less 
than \T\ = 2 U ~ V and define a : T — » S = {0, . . . , r — 1} to be division by "|T|/r . 
Then, the index function s = a o r : G — >5 is pre-image uniform for r that is 
a power of 2. For other r, the probability of reaching each of the indices may 
differ by at most 1/|T|. 

In the binary field case, unlike the prime field case, the auxiliary tag function 
always gives the correct tag value, so one has a better chance of running through 
the full £- m any tag tracing steps with the pre-computed table Me, without fully 
computing any product. However, the asymptotic complexity of the binary field 
case remains equal to that of the prime field case. 
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Abstract. The generic group model is a valuable methodology for 
analyzing the computational hardness of number-theoretic problems 
used in cryptography. Although generic hardness proofs exhibit many 
similarities, still the computational intractability of every newly in- 
troduced problem needs to be proven from scratch, a task that can 
easily become complicated and cumbersome when done rigorously. In 
this paper we make the first steps towards overcoming this problem by 
identifying criteria which guarantee the hardness of a problem in an 
extended generic model where algorithms are allowed to perform any 
operation representable by a polynomial function. 

Keywords: Generic Group Model, Straight-Line Programs, Hardness 
Conditions, Lower Bounds. 


1 Introduction 

The generic group model was introduced by Nechaev [T] and Shoup Q. In this 
model one considers algorithms that given a group G as black box, may only 
perform a restricted set of operations on the elements of G such as applying the 
group law, inversion of group elements and equality testing. Since in this model 
the group is treated as black box, the algorithms cannot exploit any special 
properties of a concrete group representation. 

Many fundamental cryptographic problems were proven to be computation- 
ally intractable in the generic model, most notably the discrete logarithm 
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problem (DLP), the computational and decisional Diffie-Hellman problem (DHP 
and DDHP) j2|, and the root extraction problem (in groups of hidden order) P|. 
These intractability results are considered to be evidence supporting crypto- 
graphic assumptions of number-theoretic nature which underly the security of 
a vast number of systems of applied cryptography. Moreover, loosely speak- 
ing, it has become considered good practice, when making new intractabil- 
ity assumptions, to prove the underlying problem to be hard in the generic 
model. Many novel assumptions rely on more complex algebraic settings than 
the standard assumptions. They involve multiple groups and operations on 
group elements additional to the basic operations. Examples include the nu- 
merous assumptions based on bilinear pairings (e.g., see f-ll- r >| h Since the proper- 
ties ensuring generic hardness had not been well-studied and formalized before 
this work, for each novel problem an entire hardness proof had to be done 
from scratch. 

A generic group algorithm can only perform a subset of the operations that 
can be performed by an algorithm that may exploit specific properties of the 
representation of group elements. This implies that proving a problem to be 
intractable in the generic group model is a necessary, but not sufficient condition 
for the problem to be intractable in any concrete group. A generically intractable 
problem that is easy in any concrete group has been considered in 0 . 

Our contributions. In a nutshell, we identify the core aspects making crypto- 
graphic problems hard in the generic model. We provide a set of conditions, which 
given the description of a cryptographic problem allow one to check whether the 
problem at hand is intractable with respect to generic algorithms performing 
certain operations. In this way we aim at (i) providing means to structure and 
analyze the rapidly growing set of cryptographic assumptions as motivated in 
jZj and (ii) making the first steps towards automatically checkable hardness con- 
ditions in the generic model. 

Related Work. In 0 the author analyzes a generalization of the Diffie-Hellman 
problem, the P-Diffie-Hellman problem: given group elements (g, g Xl , g x ' 2 ) the 
challenge is to compute g p ( x i’ x z\ where P is a (non-linear) polynomial and g is 
a generator of some group G. Among other results, it is shown there that the 
computational and decisional variant of this problem class is hard in the generic 
model. Another general problem class has been introduced in [0J to cover DH 
related problems over bilinear groups. The authors show that decisional problems 
belonging to this class are hard in the generic model. 

Recent work by Bresson et al. m independently analyzes generalized deci- 
sional problems over a single prime order group in the plain model. They showed 
that under several restrictions a so-called (P, Q)-DDH problem is efficiently re- 
ducible to the standard DDH problem. However, one important requirement for 
applying their results is that the P and Q polynomials describing the problem 
need to be power- free, i.e., variables are only allowed to occur with exponents 
being equal to zero or one. 
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2 Some Preliminaries 

Let poly(x) denote the class of univariate polynomials in x with non-negative 
integer coefficients. We call a function f negligible if Vpoly £ poly(x) 3 k 0 Vk > 
Ko : /(«) < po il( K) ■ 

Throughout the paper we are concerned with multivariate Laurent polyno- 
mials over the ring Z„ . Informally speaking, Laurent polynomials are poly- 
nomials whose variables may also have negative exponents. More precisely, a 
Laurent polynomial P over Z n in indeterminates X \ , . . . , X( is a finite sum 
P = a ai,...,a e Xi 1 • • • Xf l where a ait ... >ai 6 Z„ and on £ Z. The set of Laurent 
polynomials over Z„ forms a ring with the usual addition and multiplication. 
By deg(P) = max{JT |a»| | a Ql ,,,, iQi ^ 0 mod n} we denote the (absolute) total 
degree of a Laurent polynomial P / 0. Furthermore, we denote by £n’ c ^ (where 
0 < c < Z) the subring of Laurent polynomials over Z„ where only the variables 
X c+ i , . . . , Xe can appear with negative exponents. Note that for any P £ £n’ c ^ 
and x = (xi, . . . , xf) € Z(j X (Z* ) e ~ c the evaluation P(x) is well-defined. 

If A is a probabilistic algorithm, then y «— A(x) denotes the assignment to y 
of the output of M’s run on x with fresh random coins. Furthermore, by [M(x)] 
we denote the set of all possible outputs of a probabilistic algorithm A on input 
of a fixed value x. If S' is a set, then x <— S denotes the random generation of 
an element x £ S using the uniform distribution. 

3 Problem Classes 

In this section we formally define the classes of computational problems under 
consideration. For our formalization we adapt and extend the framework in HU 

Definition 1 (DL-/DH-type problem). A DL-/DH-type problem V is char- 
acterized by 

— A tuple of parameters 

Param-p = ( k , £, c, z) 

consisting of some constants k, i £ N, c £ No where c < £ and z £ poly (x) . 

— A structure instance generator SIGen-p^) that on input of a security param- 
eter k outputs a tuple of the form 

((G,g,n),(I,Q)), 

where 

• (G,g,n) denotes the algebraic structure instance consisting of descrip- 
tions of cyclic groups G = (Gi , . . . , G&) of order n and corresponding 
generators g = (ffi, ■ • • , 9k), 

• (I, Q) denotes the relation structure instance consisting of the input 
polynomials I = (Ii, . . . ,I k ), with Ii C £n’°\ |Ii| < z(k), and the chal- 
lenge polynomial Q £ £n' c) . 


492 A. Rupp et al. 


Then a problem instance of V consists of a structure instance 
((G, g,n), (I, Q)) A SIGen-p(K) and group elements {g^^\P £ Ip 1 < i < k), 
where x <— Zjj x (Z*) { ~ c are secret values. Given such a problem instance, the 
challenge is to compute 

! Q(x), for a DL-type problem 
<7^ , for a DH-type problem 

Numerous cryptographically relevant problems fall into the class of DL-type or 
DH-type problems. Examples are problems such as the DLP 0, DHP 0, a vari- 
ant of the representation problem m , generalized DHP HH , square and inverse 
exponent problem PH, bilinear DHP 0, w-bilinear DH inversion problem 0. 
w-bilinear DH exponent problem 0, co-bilinear DHP 0, and many more. In 
Appendix El we extend our definitions and conditions to also include problems 
like the w-strong DH and w-strong BDH problem where the challenge is speci- 
fied by a rational function. As an illustration of the definition, we consider the 
w-BDHI problem in more detail. 

Example 1 (w-BDHIP). For the w-BDHI problem we have parameters 
Param w . bdhi = (3,1,0,10+ 1) and a structure instance generator SIGen„j_nniir 
that on input k returns 

((G = (G 1 ,G 2 ,G 3 ),g=(g 1 ,g 2 ,g 3 ),p), 

(i = (ii = {i},i 2 = {i ,xi, . . . ,*r (K) },i 3 = {i}), q = xr 1 )) 

such that p is a prime, there exists a non-degenerate, efficiently computable 
bilinear mapping e : x G3 — > G\ with eQfe, gf) = gi, and an isomorphism 

if : G2 — > G3 with if{gf) = <73. A problem instance additionally comprises group 
elements (g^^\P G Ii, 1 < i < 3) = (<?i, <72,52 S • ■ ■ , 52 1 ,53), where x=n^- 

Z* , and the task is to compute = g* 1 . 

In the remainder of this paper, we are often only interested in individual parts of 
the output of SIGen-p. To this end, we introduce the following simplifying nota- 
tion: By $ A SIGenp(«:), where $ is a wildcard character, we denote the projec- 
tion of SIGen-p ’s output to the part $. For instance, (n,I,Q) A SIGen^ 1 ’ 1 ’®^/?) 
denotes the projection of the output to the triple consisting of the group or- 
der, the input polynomials, and the challenge polynomial. Furthermore, by 
[SIGen|,(K)] we denote the set of all possible outputs $ for a given fixed security 
parameter n. 

4 Extending Shoup’s Generic Group Model 

4.1 Generic Operations 

For our framework we restrict to consider operations of the form o : G Sl X 
... x G Su — > Gd , where u > 1, si, . . . , s u , d £ are some fixed constants 
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(that do not depend on k). Furthermore, we demand that the action of o on the 
group elements can be represented by a fixed regular polynomial. That means, 
there exists a fixed F 6 Z[Fi , . . . , Y u \ (also not depending on k) such that for 
any generators g Sl , . . . , g Su , g,i given as part of a problem instance we have that 
o(oi,...,a„) = g^ Vl ’-"’ Vu > where oi = g^,...,a u = g v s For instance, the 
bilinear mapping e : G 2 x G 3 — > Gi which is part of the algebraic setting of the 
w-BDHIP is such an operation: for any < 72 • fits and fj = e(g 2 , S 3 ) it holds that 
e(ai,a 2 ) = e(fl , 2 1 iS , 3 2 ) = g^ Vl,v ^ where F = YiY 2 . In fact, to the best of our 
knowledge, virtually any deterministic operation considered in the context of the 
generic group model in the literature so far belongs to this class of operations. 

We represent an operation of the above form by a tuple (o, s 1, • • • , s u , d, F), 
where the first component is a symbol serving as a unique identifier of the oper- 
ation. The set of allowed operations can thus be specified by a set of such tuples. 
The full version of this paper H3 explains how to extend the operation set to 
include decision oracles. 

Example 2 (Operations Set for w-BDHIP). The operations set fl = 
{( 0l , 1, 1, 1, Y\ + Y 2 ), (° 2 , 2, 2, 2, Fi + y 2 ), (o 3 , 3, 3, 3, Y x + F 2 ), {inv 1 , 1, 1, -Y x ), 
(inv 2 , 2, 2, — Fi), (inv 3 , 3, 3, — Fi), (if, 2, 3, Fi), (e, 2, 3, 1, Fi • F 2 )} specifies oper- 
ations for the group law (o,) and inversion ( inVi ) over each group as well as the 
isomorphism : G 2 — > G 3 and the bilinear map e : G 2 x G 3 — > G\. 

4.2 Generic Group Algorithms and Intractability 

In this section, we formally model the notion of generic group algorithms for DL- 
/DH-type problems. We adapt Shoup’s generic group model j2| for this purpose. 

Let S n C {0, 1 } d°S 2 («)l denote a set of bit strings of cardinality n and 
E n the set of all bijective functions from Z n to S n . Furthermore, let a = 
(<7i, . . . , (jfe) G E* be a /c-tuple of randomly chosen encoding functions for the 
groups G \, . . . , Gk = Z n . 

A generic algorithm A is a probabihstic algorithm that is given access to 
a generic (multi-) group oracle On allowing A to perform operations from Q 
on encoded group elements. Since any cyclic group of order n is isomorphic to 
(Z„,T), we will always use with generator 1 for the internal representation 
of a group Gi . 

As internal state On maintains two types of lists, namely element lists 
L %, . . . , Lfc, where a, Li CL £n’ c \ and encoding lists E\, , E^, where Ei C S n . 
For an index j let Tjj and Eij denote the j-th entry of Li and E. t , respec- 
tively. Each list Li is initially populated with the corresponding input polyno- 
mials given as part of a problem instance of a DL-/DH-type problem V, i.e., 
Li = (P\P e Ii). A list Ei contains the encodings of the group elements cor- 
responding to the entries of Li, i.e., E^j = ai(Li t j(x)). Ei is initialized with 
= (cr*(P( x ))|P e Ii). A is given (read) access to all encodings lists. In or- 
der to be able to perform operations on the randomly encoded elements, the 
algorithm may query On- Let (o, si, . . . , s u , d, F ) be an operation from fi. Upon 
receiving a query (o ,j x , . . . ,j u ), the oracle computes P := F(L sl j 1 , . . . , L Su .j u ), 
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appends P to L ( j and a f t(P(x)) to the encoding list Ed. After having issued a 
number of queries, A eventually provides its final output. In the case that V is a 
DL-type problem, we say that A has solved the problem instance of V if its out- 
put a satisfies Q(x) — a = 0 mod n. In the case that V is a DH-type problem, A 
has solved the problem instance if its output ay (a) satisfies Q(x) — a = 0 mod n. 

Let a DL-/DH-type problem over cyclic groups Gi , . . . , G*, of order n be given. 
We can write the group order as n = p e ■ s with gcd(p, s) = 1 where p be the 
largest prime factor of n. Then for each i it holds that G, = G\ p ^ x G^ where 
G\ p ^ and G\ s) are cyclic groups of order p e and s, respectively. It is easy to see 
that solving an instance of a DL-/DH-type over groups Gi of order n is equivalent 
for a generic algorithm to solving it separately over the subgroups G,- p ^ and the 
subgroups G\ s \ Thus, computing a solution over the groups Gi is a least as 
hard for generic algorithms as computing a solution over the groups G\ p \ In 
the following we always assume that SIGen-p on input k generates groups of 
prime power order n = p e with p > 2 K and e > 0. 


Definition 2 (g-GGA). A q-GGA is a generic group algorithm that for any 
k GN, it receives as part of its input, makes at most q(n) queries to the generic 
group oracle. 


Definition 3 (GGA-intractability of DL-type Problems). A DL-type 
problem V is (f2 , q, u)-GGA-intractable if for all q-GGA A and ksIk have 


Pr 


Q(x) = a mod 


(n,I,Q) A- SlGen^p’ 1 2 ’ Q) (k)] a A E^-x A Z£ x (Z*) e ~ c ; 
a A A°o ( K , n ,I,Q, (<n(l>(x))\P e h)i<i<*) 


< v(k) 


Definition 4 (GGA-intractability of DH-type Problems). A DH-type 
problem V is (f2 , q, v)-GGA-intractable if for all q-GGA A and ksIk have 


Pr 


Q(x ) = a mod 


(n,I,Q) SIGen )?’ I ’ Q) (k);ct A r‘;x*ZJ x (Z*) e ~ c ; 

<ti (a) A A°° (k, n,I,Q, (<7;(P(x)) P e Ii)i<<<fc) 


< v(k) 


5 Abstract Hardness Conditions: Linking GGA and SLP 
Intractability 

Informally speaking, the grade of intractability of a DL-/DH-type problem with 
respect to generic algorithms can be “measured” by means of two “quantities” : 

1. The probability of gaining information about the secret choices x in the 
course of a computation by means of non-trivial equalities between group 
elements. This quantity is called leak-resistance. 

2. The probability to solve problem instances using a trivial strategy, i.e., by 
taking actions independently of (in)equalities of computed group elements 
and thus independent of the specific problem instance. This quantity is called 
SLP-intractability. 
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For formalizing both quantities, we make use of so-called straight-line pro- 
gram (SLP) generators. Note that SLPs are a very common concept in the field 
of computational algebra and has also proved its usefulness in the area of cryp- 
tography. However, the SLP model and the GGA model have not been explicitly 
related in the literature so far. 


Definition 5 ((17, g)-SLP-generator). A (Q. q) -SLP- generator S is a proba- 
bilistic algorithm that on input ( k , n,I,Q), outputs lists {Lx, ■ • ■ , L/) where Li c 
£n’ c \ Each list Li is initially populated with Li = (P\P G Ii). The algorithm 
can append a polynomial to a list by applying an operation from fl to polynomi- 
als already contained in the lists, Let., for an operation (o, sr, . . . , s u . d, F) G O 
and existing polynomials Pi G L Sl , . . . , P u G L Sy the algorithm can append 
F{Px, . . . , P u ) to Ld,. In this way, the algorithm may add up to q{n) polyno- 
mials in total to the lists. The algorithm additionally outputs an element a G Z„ 
in the case of a DL-type problem and a polynomial P G L\ in the case of DH-type 
problem, respectively. 

Let us first formalize the leak-resistance of a problem. When do group elements 
actually leak information due to equality relations? To see this, reconsider the 
definition of the generic oracle in Section 14.21 and observe that two encodings 
Ei j and E$ t f are equal if and only if the evaluation {Li t j — Liji){x) yields zero. 
However, it is clear that such an equality relation yields no information about 
particular choices x if it holds for all elements from Z£ x (Z*) e ~ c . Thus, denoting 
the ideal of £^f’ c ^ containing all Laurent polynomials that are effectively zero over 
Z c n X (Z*y~ c by 

I n = {P G £^’ c) | Vx G Z c n x (Z * n ) e ~ c : P(x) = 0 mod n} (1) 

an equality yields no information at all if (Ljj — Liji) G l n . Otherwise, a non- 
trivial collision occurred and A learns that x is a modular root of L jj — Lij*. 

By Definition El we capture the chance that information about the secret 
choices x is leaked in the course of a computation due to non-trivial equali- 
ties between group elements. For this purpose we can make use of (17, g)-SLP- 
generators since they generate all possible sequences of polynomials that may 
occur in an execution of a (/-GGA. 

Definition 6 (Leak-resistance). A DL- /DH-type problem V is {fl,q,v) -leak- 
resistant if for all (1/ q)-SLP-generators S and k gN we have 


Pr 


3* and P , P' £ Li such that 
(P - P')(x) S 0 mod n A P-P' <£!„ 


x A ip n x (z* ) e ~ c 


< p(k) 


Now assume that no information about x can be gained. In this case, we 
can restrict to consider algorithms applying trivial solution strategies to solve 
instances of a problem. That means, we can restrict our considerations to the 
subclass of generic algorithms that, when fixing all inputs except for the choice 
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of x, always apply the same fixed sequence of operations from fl and provide the 
same output in order to solve an arbitrary problem instance. Thus, the algorithm 
actually acts as a straight-line program in this case. 

Definition 7 (SLP-intractability of DL-Type Problems). A DL-type 
problem V is (I2,q,v)-SLP-intractable if for all ( I2,q)-SLP-generators S and 
k GN we have 


Pr 

Q(x) = a mod n 

(n, I,Q)^SIGen^’ I ’ Q) ( K ); 

(a, Lx , . . . , Lk) S(k, n, I, Q); 



x £ Z£ x ( Z* n f~ * 


Definition 8 (SLP-intractability of DH-type Problems). A DH-type 
problem V is ( I2,q,v)-SLP-intractable if for all ( I2,q)-SLP-generators S and 
k GN we have 


Pr 

(P — Q ) (x) = 0 mod n 

(n,I,Q)^SIGen^ I ’ £3) (/c); 

(P,L 1 ,...,L k )^S(K,n,I,Q)-, 



x 4- Z“ x (Z* y~ c 


Theorem 1 (GGA-intractability of DL-/DH-type Problems). If a DL- 

type problem is (12, q,v{) -leak-resistant and ( f2,q,U2)-SLP-intractable then it is 
(12, q, v\ + V 2 )-GGA-intractable. If a DH-type problem is (12, q, ui) -leak-resistant 
and (12 , q,V 2 )-SLP-intractable then it is (12, q, 2 *-( q (K)+ z (K)'j + v i + Pi)-GGA- 
intractable. 

The proof of this theorem is given in the full version of the paper m 

6 Practical Conditions 

In this section, we present easily checkable conditions ensuring that a DL-/DH- 
type problem is (12, q, ^i)-leak-resistant and (12, q, ^-SLP-intractable with q 
being polynomial and V\ and u -2 being negligible functions in the security pa- 
rameter. Reviewing the corresponding definitions, we see that the probabilities u\ 
and V 2 are closely related to the probability of randomly picking roots of certain 
multivariate Laurent polynomials. Lemma d shows in turn that the probability 
of finding such a root is small for non-zero polynomials in having low total 
degrees. 

Lemma 1. Let p be a prime, e G N, n = p e , and let P G £n’ c) be a non-zero 
Laurent polynomial of total degree d. Then for x «— Z“ x (Z*) e ~ c we have 

Pr[P(x) = 0 mod n] < 


p-1 
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6.1 Operations Sets as Graphs: Bounding Polynomial Degrees 

We aim at formalizing the class of operations sets that only allow for a small rise 
in the degrees of polynomials that can be generated by any (12, g)-SLP-generator 
S. Remember, these are the polynomials that can be generated from the input 
polynomials by applying operations from 12 at most q(n) times. To this end, 
we introduce a special type of graph, called operations set graph (Definition 0 , 
modeling an operations set and reflecting the corresponding rise of degrees. 

Definition 9 (Operations Set Graph). An operations set graph Q = (V. E ) is 
a directed multi-edge multi-vertex graph. There are two types of vertices, namely 
group and product vertices. The vertex set V contains at least one group vertex. 
Each group vertex in V is labeled with a unique integer. All product vertices are 
labeled by II. Any edge in E may connect two group vertices or a group and a 
product vertex. 

Let 12 be an operations set involving k groups. Then the operations set graph 
Qn = (V, E) corresponding to 12 is constructed as follows: V is initialized with 
k group vertices representing the k different groups, where these vertices are 
labeled with the numbers that are used in the specification of 12, say the numbers 
1 to k. For each operation (o, si, . . . , s u , d, F) £ 12 we add additional product 
vertices to V and edges to E. Let F = JT Mi be represented as the sum of 
non-zero monomials. Then for each Mj we do the following: 

1. We add a product vertex and an edge from this vertex to the group vertex 
with label d. 

2. For each variable Yj (1 < j < u ) occurring with non-zero exponent I in 
Mi we add l edges from the group vertex labeled with the integer Sj to the 
product vertex just added before. 

In order to embed the notion of increasing polynomial degrees by applying 
operations into the graph model we introduce the following graph terminology: 
We associate each group vertex in a graph with a number, called weight. The 
weight may change by doing walks through the graph. Taking a walk through the 
graph means to take an arbitrary path that contains exactly two group vertices 
(that are not necessarily different) where one of these vertices is the start point 
and the other is the end point of the path. A walk modifies the weight of the 
end vertex in the following way: 

— If the path contains only the two group vertices, the new weight is set to be 
the maximum of the weights of the start and end vertex. 

— If the path contains a product vertex, the new weight is set to be the max- 
imum of the old weight and )G Wj, where u is the indegree and Wj is the 

jM 

weight of the j-th predecessor of this product vertex. 

We define a free walk to be a walk through a path that only consists of the two 
group vertices and no other vertex. A non-free walk is a walk through a path 
containing a product vertex. It is important to observe that 
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Fig. 1. g n for Q = {( 01 , 1 , 1 , 1,71 + 7 2 ), (o 2 , 2, 2, 2, 7 + 7 2 ), (o 3 , 3, 3, 3, 7 + 
7), (inv 1 , 1, 1, -yi), (inv 2 , 2, 2, -7), (irws, 3, 3, -7), (V>, 2, 3, 7), (e, 2, 3, 1, 7-7)} of 
w-BDHIP. Strongly connected components are marked by dashed borders. 


— a non-free walk can actually increase the maximum vertex weight of a graph 
in contrast to a free-walk. 

— after each non-free walk the weight of any vertex can be changed at most 
finitely many times by doing free walks. 

Hence, the following definition of the q-weight makes sense: Let q be a fixed 
positive number. We consider finite sequences of walks through a graph, where 
each sequence consists of exactly q non-free walks and an arbitrary finite number 
of free walks. We define the (/-weight of a (group) vertex to be the maximum 
weight of this vertex over all such sequences. Similarly, we define the (/-weight of 
an operations set graph to be the maximum of the q- weights of all its vertices. 

Obviously, the q - weights of the vertices 1 ..... fc of an operations set graph Qq 
can be used to upper bound the degrees of the output polynomials L\,...,Lkoi 
any (17, (/)-SLP-generator S when setting the initial weight of each group vertex 
i to the maximal degree of the polynomials in Ip Similarly, we can bound the 
maximum positive or negative exponent of a single variable Xj by setting the 
initial weight of the group vertex i to be the maximum degree of Xj in any 
polynomial in Ip 

With regard to the definition of the (/-weight, we can immediately simplify 
the structure of operations set graphs: Clearly, we do not change the q- weight 
of a graph if we remove self- loops and product vertices with indegree 1, where 
in the latter case the two edges entering and leaving the vertex are replaced 
by a single edge going from the predecessor vertex to the successor vertex. We 
call such a graph a reduced operations set graph. As an illustrating example, 
consider the reduced operations set graph depicted in Figure QJ which belongs 
to the operations set for the w-BDHI problem (cf. Example 0) • 

The following condition characterizes graphs that do not allow for a super- 
polynomial grow of vertex weights. Intuitively, it prohibits any kind of repeated 
doubling. For the g- weight of operations set graphs satisfying Condition 0 it is 
possible to derive non-trivial upper bounds as given in Theorem 0 The proof is 
given in the full version of the paper jT2| . 
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Condition 1. Let Qq be a reduced operations set graph. Then for every strongly 
connected component C of Qq it holds that every product vertex contained in C 
has at most one incoming edge from a vertex that is also contained in C. 

Theorem 2. Let Qq be a reduced operations set graph satisfying Condition 0 
Let n-y denote the number of product vertices contained in Qq, w max the maximal 
indegree of these product vertices, d max the maximal initial weight of any group 
vertex, and n% the number of SCCs containing at least one product and one group 
vertex. Then the q-weight of Qq is upper bounded by 



712 = 0 

7i2 > 0 and q < ni 
7i2 > 0 and q > 


D(ni,7i2,w max , d max ,5) = 


where e denotes Euler’s number. 

Example 3. ConditionQJis satisfied for Qq depicted in Figure0since the strongly 
connected component containing the product vertex contains no other vertices. 
We have n-y = 1, n% = 0, and u max = 2. Since the problem instance implies 
d m ax = w we have that the Q-weight of the graph is bounded by 2w. 

Note that the factor by which the (maximal) initial weight of the vertices can be 
increased only depends on the particular operations set graph. Hence, once we 
have shown that an operations set only allows to increase degrees by a low (i.e., 
polynomial) factor, this certainly holds for all problems involving this operations 
set and does not need to be reproven (as it is currently done in the literature). 

It is possible to devise a graph algorithm (Algorithm 0) that finds individual 
bounds on the q- weights of the group vertices which are often tighter than the 
generic bound from Theorem 0 The principle of the algorithm is simple. We con- 
sider the directed acyclic graph that is composed of the SCCs of the operations 
set graph. We move from the sources to the sinks of the DAG and recursively 
bound the (/-weights of the vertices within each SCC. In the end when all SCCs 
are labeled with such a bound, the Q-weight of a group vertex is simply set to 
be the Q-weight bound of the (unique) SCC in which it is contained. 

6.2 Practical Conditions: Leak-Resistance 

To provide leak-resistance, we ensure that any difference of two distinct poly- 
nomials computable by a (12, Q)-SLP-generator is of low degree. We do so by 
demanding that the input polynomials I of a problem V have low degrees (Con- 
dition 01 and restrict to operations sets (2 only allowing for small increase of 
degrees (Condition GJ . If these conditions are satisfied, we can derive a concrete 
leak-resistance bound v for any runtime bound q (Theorem 0 . 

1 A strongly connected component of a directed graph Qq = (V, E) is a maximal set 
of vertices U C V s.t. every two vertices in U are reachable from each other. The 
strongly connected components of a graph can be computed in time 0(|F| + |f?|). 
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Algorithm 1. Computation of the g-weigths of group vertices 
Input: q, reduced operations set graph Q satisfying Condition Q initial weights for 
the k group vertices in G 
Output: g- weights wi, . . . ,Wk of vertices 1 ..... fc 

1: Perform a topological sort on the DAG of Q. i.e., arrange the SCCs of Q in layers 
0 to i such that SCCs in layer j can only receive edges from SCCs contained in 
layers i<j. 

2: for each layer j = 0 : £ do 

3: for each SCC C in layer j do 

4: if C consists only of group vertices then 

5: set weight of C to maximum of weights of vertices contained in C and weights 

of SCCs in layers i < j having edges to C 

6: end if 

7: if C consists only of a single product vertex then 

8: set weight of C to sum of weights of SCCs in layers i < j having edges to C 

9: end if 

10: if C consists of at least one product vertex and one group vertex then 

11: let w be the maximum of the weights of group vertices contained in C and 

the weights of SCCs in layers i < j having edges to these group vertices 
12: for each product vertex 77 in C , compute sum of weights of SCCs in layers 

i < j having edges to 77, and let v be the maximum of these sums 
13: set weight of C to w + qv 

14: end if 

15: end for 

16: end for 
17: for i = 1 : k do 

18: set Wi to weight of SCC containing the group vertex i 

19: end for 


Condition 2. There exists ri £ poly(a;) such that for all k £ N, I € [SIGen^, (/«)] 
we have ^ max ^ (deg(P)) < ri(/i) 

Theorem 3. Let f2 be an operations set such that Condition El is satisfied. Fur- 
thermore, let V be a DL-type or DH-type problem satisfying Condition 03 Then 
for any q £ poly (a;), the problem V is -leak-resistant, where 

v(k) = 2 ~ K k(q(K.) + z(k)) 2 (£- c+ l)D(n 1 ,n 2 ,u iaax ,ri(K},q(K.)) . 

Example 4 (Leak-resistance for w-BDHIP). The degrees of the input poly- 
nomials of the «;-BDHI problem are polynomially upper bounded through 
w by definition. Example 01 showed that f2 satisfies Condition [Q yielding 
77(1, 0, 2, w(k), q(K.)) = 2 w(k). Furthermore, for w-BDHIP we have parameters 
k = 3, l = 1, and c = 0. Thus, by Theorem 01 the problem V is (72, q, ^(-leak- 
resistant, where v(n) = 2~ K 12(q(n) + w(k) + 1 ) 2 w(k). 
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6.3 Practical Conditions: SLP-Intractability of DL-Type Problems 

In view of Lemma GJ in order to ensure SLP-intractability for a DL-type problem 
it suffices to require the challenge polynomial being non-constant (Condition 0 
and of low degree (Condition E) . 

Condition3. There exists kq £ N such that for all k > Ko, ( n,Q ) £ 
[SIGerip'’ < ^(K)] the polynomial Q is not a constant in £„’ c \ 

Condition 4. There exists r 2 £ poly(:r) such that for all « G N , Q £ 
[SIGen^(/c)] we have deg(Q) < r 2 (/c). 

Assuming the above conditions are satisfied for a DL-type problem, Theorem El 
implies that the problem is ( fl , q, z/)-SLP-intractable, where q is an arbitrary 
polynomial and v is a negligible function in the security parameter. 

Theorem 4. Let V be a DL-type problem satisfying Condition |^| and Condi- 
tion 0 Then for any q £ poly(a;) and any operations set f2, V is ( L2,q,v)-SLP - 
intractable, where 



6.4 Practical Conditions: SLP-intractability of DH-Type Problems 

To ensure SLP-intractability of DH-type problems we formulate similar condi- 
tions as in the case of DL-type problems. More precisely, we ensure that the 
difference polynomials considered in the definition of SLP-intractability (Defini- 
tion IE) are never zero and of low degree. 

The non-triviality condition (Condition E) states that an efficient SLP- 
generator can hardly ever compute the challenge polynomial, and thus solve 
the problem with probability 1. 

Condition 5. For every q £ poly(x) there exists kq £ N such that for all k > 


Ko, {Q,q)-SLP-generators S, (n,I,Q) £ [SIGen^ ’^^( k)], and (P, L \, . . . , Lfe) £ 
[$(/s,n,I,Q)] we have P + Q in £ ( „*’ c) . 


We note that Condition El appears to be more complex compared to the prac- 
tical conditions seen so far and it is not clear to us how to verify it in its full 
generality. However, it is usually easy to check in the case of a problem of prac- 
tical relevance. Usually, one of the following properties is satisfied implying the 
validity of Condition El 

- The total degree of P £ Lx is bounded by a value which is smaller than the 
total degree of Q. 

— The positive/negative degree of P £ L\ is bounded by a value which is 
smaller than the positive/negative degree of Q. 
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— The positive/negative degree of some variable Xj of P £ Li is bounded by 
a value which is smaller than the positive/negative degree of that variable 
in Q. 

Remember, that we can make use of the results from Section Ifi. 1 1 for proving that 
a problem satisfies one of these properties. 

Moreover, we have to prevent that an (Q. g)-SLP-generator outputs a poly- 
nomial P ^ Q which frequently “collides” with Q and thus constitutes a good 
interpolation for Q. If P is low degree (Conditions d and EJ), then it is sufficient 
to demand that Q is of low degree as well (Condition 0} • 

Hence, we need the practical conditions for leak-resistance in addition to the 
ones stated in this section for showing that a DH-type problem is (J?, q, ;/)-SLP- 
intractable, where v is a, negligible function in the security parameter. 

Theorem 5. Let fl be an operations set such that Condition Q is satisfied. 
Furthermore, let V be DH-type problem satisfying Condition d Condition ^ 
and Condition 0 Then for any q £ poly (a:), the problem V is ( fi,q,v)-SLP - 
intractable, where 


f , _ J 1, K< K 0 

^ K> K 0 

is a negligible function. 

Example 5 (SLP-intractability of w-BDHIP). Remember that for this problem 
the challenge polynomial is fixed to Q = Xj -1 . Moreover, observe that all vari- 
ables occurring in the input polynomials only have positive exponents. Thus, 
any polynomial P £ L\ has only positive exponents in any variable. Hence, 
Condition 0 is trivially satisfied (independently of the considered operations set 
1?)0 Condition 0| is satisfied since we always have deg(Q) = 1 =: rfix). As we 
have already seen in the previous sections, Conditions d and El hold yielding the 
upper bound 0(1, 0, 2, w(k), g(«)) = 2 w(k) on the degrees of the polynomials 
P £ L\. Thus, by Theorem 0 the problem is (1?, q, i^)-SLP-intractable, where 
v{k) =2- k (2 + Aw{k)). 
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A Rational Functions Specifying Problem Challenges 

Our framework so far only covers problems where the solution of a problem 
instance can be represented as a Laurent polynomial. This restriction excludes 
important problems like the tc-strong Diffie-Hellman problem or the w-strong 
Bilinear Diffie-Hellman problem. Informally speaking, the tn-SDH problem can 
be described as follows: Given group elements g,g x , g x , . . . , g x , where x <— Z*, 
the task is to find an integer v € Z* and a group element a such that a = g*+”. 
Observe that here the solution is defined by a rational function of the secret 
choices and the value v that can be chosen freely. If is not defined over Z p 
for particular x and v, then the problem instance is deemed to be not solved. 

To let the class of DL- /DH-type problems (Definition EJ cover this problem 
type we do the following: We first need introduce two additional parameters 
C and c' defining the range Z(j x (Z*) { ~ c from which the algorithm is al- 
lowed to choose the value v. Furthermore, we consider structure instance gen- 
erators SIGen-p which output two Laurent polynomials Q\ and Q-2 over Z n in 
the variables X\, . . . , Xe, V\, . . . V^, where only the variables Y c+1 , . . . , Xe and 


504 A. Rupp et al. 


V c ' + i , . . . , Vf may appear with negative exponents. These polynomials represent 
a rational function 


R-(K 


(Z * n y~ c ) x (Z“' x (Z 


(x,v) 


Qi(x,v) 

Q2(X,V) ' 


z n , 


A problem instance of such an extended DL-/DH-type problem is defined as 
before. Given a problem instance, the challenge is to output some v e Z£ x 
(Z*)^ ~ c with Q 2 (x, v) G Z* and the element 

, for a DL-type problem 

■ (2) 

g(Q 2 (x,v)) , for a DH-type problem 


Adapting most of the framework to the new definition is quite straightfor- 
ward. In fact, the definition of leak-resistance, the corresponding conditions and 
theorems stay the same since the definition is completely independent of the 
challenge polynomial. In the following, we only sketch important differences to 
the previous version of the conditions. 

For this purpose, we need to introduce some new notation: By 

3 r (££f ,c )) := I < 9 i> < 32 € £$’ c \ Qi is not a zero-divisor 

we denote the ring of fractions of £^’ c \ An element | G 5 r (£n’ c ^) with a, b G Z n 
is called a constant fraction. The ring £rf can be seen as a subring of this 
ring by identifying Q G £n' c> with y G 3(£n’ c ^)- Note that if we evaluate the 
fraction ^ with some v G Z(j x (Z* Y ~ c we obtain a fraction (x’v) 
is not necessarily a well-defined element of ^(£n’ c ^). This is because QafX, v) 
might be a zero-divisor in £^’ c \ However, we can exclude this case, because by 
choosing such a fraction (i.e., by selecting this particular v) an algorithm can 
never solve a problem instance. 

We stipulate the following definitions for the SLP-intractability of a (ex- 
tended) DL-type and a DH-type problem, respectively. Note that the SLP- 
generators now additionally output v in order to select a specific fraction. 


Definition 10 (SLP-intractability of DL-Type Problems). A DL-type 
problem V is ( Q,q,v)-SLP-intractable if for all ( Q,q)-SLP-generators S and 
k G N we have 


Q 2(x, v) G Z* and 
i?(x, v) = a mod n 


(n,I, Qi, Q2) ^ SIGen^’ 1 ’ 01 ’® 2 ^); 

(v,a,L 1 ,...,£^^5(K,n,I,Q 1 ,Q 2 ); 

R ^Q±; X JL Z c nX{K y-c 


Pr 


< v{k) 
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Definition 11 (SLP-intractability of DH-type Problems). A DH-type 
problem V is ( fi,q,v)-SLP-intractable if for all (f2,q)-SLP-generators S and 
k GN we have 


Pr 


Q 2 (x, v) 6 Z* and 
(P — f?(X, v))(x) = 0 mod 


(n, I, Qi, Q 2 ) 4 SIGen^’ 1 ’ 91 ^ 2 ^); 

(v, P, Li, . . . , L k ) A S(n, n, I, Qi, Q 2 ); < i/(/s) 

R<- §J;xA-Z= x 


The GG A- intractability of a DL-/DH-type problem is still related in the same 
way to the leak-resistance property and the SLP-intractability of the problem. 
That means, Theorem 0 holds unchanged for our extension. 

To ensure SLP-intractability, we have Conditional and 0 for DL-type problems 
and Condition El and |HI for DH-type problems. These conditions imply (Q. q, v)- 
SLP-intractability for the same negligible functions v as stated in Theorems 0] 
and 0 


Condition 6. There exists r 2 G poly(x) such that for all k G N, 
(n, Qi,Q 2 ) € [SIGen^ 1 ’® 1 ’^ («;)], and v G Z£ X (Z*)^ _C, we have 
max{deg(Qi(X, v)),deg(Q 2 (X,v))} < r 2 (/c) . 

Condition 7. There exists 4 £ N such that for all n > kq, (n, Qi,Q 2 ) G 
[SIGen^ 1 ’® 1 ’^ 2 ^)], and veZ'\ (Z*) e '~ c ' we have that q^'v) is not a constant 
fraction in $(£n’ c ^)- 

Condition 8. For every q G poly(x) there exists kq G N such that for all 
k > no, {Q,q)-SLP-generators S, (n,I,Qi,Q 2 ) G [SIGen^ 1 ’ 1 ’® 1 ’^ 2 ^)], and 
(v, P, Li, . . . , L k ) G [5(/s,n,I,Qi,Q 2 )] we have that ± P ™ 5(£ ( rf’ c) ). 

Example 6 (SLP-intractability of w-SDHP). For the «;-SDH problem we have 
parameters Param w . sdh = (k = 1 ,£ = l,c = 0, z = w + l,f = l,c' = 0) and a 
structure instance generator SIGen„._snH that on input k returns 

((G = Gi, g = gi, n - p), (I = h = {1, X {, . . . , Q 1 = 1,Q 2 = Xi+Vi )) . 

Note that for any wi G Z*, the fraction (x’v) = is an element of 

S(£n ’° but not an element of the subring £n ' c> . Hence, Condition 0 is triv- 
ially satisfied, since P is always a Laurent polynomial (independently of the 
considered operations set f2). Condition El is satisfied since we always have 
max{deg(<3i(X, v),deg((J 2 (X,v))} = 1 =: r 2 («). As we can easily see, Con- 
ditions 0 and 0 hold assuming an operations set containing operations for per- 
forming the group law and inversion of elements in G i, this yields an upper 
bound <D(0, 0, 0, w(k), gin)) = w(k) on the degrees of the polynomials P G L\. 
Thus, the problem is (I?, q, ^)-SLP-intractable, where v(k) = 2~ k (w(k) + 1). 
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Abstract. Key-dependent message security, short KDM security, was 
introduced by Black, Rogaway and Shrimpton to address the case where 
key cycles occur among encryptions, e.g., a key is encrypted with itself. 

We extend this definition to include the cases of adaptive corruptions 
and arbitrary active attacks, called adKDM security incorporating 
several novel design choices and substantially differing from prior defi- 
nitions for public-key security. We also show that the OAEP encryption 
scheme (using a partial-domain one-way function) satisfies the strong 
notion of adKDM security in the random oracle model. The OAEP 
construction thus constitutes a suitable candidate for implementating 
symbolic abstractions of encryption schemes in a computationally sound 
manner under active adversaries. 

Keywords: Key-dependent message security, chosen ciphertext attacks, 
RSA-OAEP. 

1 Introduction 

Encryption schemes constitute the oldest and arguably the most important cryp- 
tographic primitive. Their security was rigorously studied very early, starting 
with Shannon’s work for the information-theoretic case PH Computational 
definitions for public-key encryption were developed over time, in particular 
in For symmetric encryption, the first real definitions were, to the 

best of our knowledge, given in (1 !)I28I8| . using the same basic ideas as in public- 
key encryption. While these definitions seemed to take care of standard usage 
of encryption schemes, it was soon recognized that larger protocols might pose 
additional requirements on the encryption schemes, e.g., in multi-party compu- 
tations with dynamic corruptions as in (Zj. It was also recognized that in some 
cases, symmetric encryption initially seemed to be the appropriate method to 
use, but upon study other primitives such pseudorandom permutations jlUlbj or 
authenticated encryption 1 12191 proved to be better. 

A specific additional requirement some larger protocols pose on encryption 
schemes is the ability to securely encrypt key-dependent messages. One speaks 
of key-dependent messages if a key K is used to encrypt a message m where m 
contains or depends on the key K (or the corresponding secret key in the case 
of public-key encryption) . The first concrete use of this case seems to have been 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 506 4523, | 2008. 
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in ca. where multiple private keys were used to encrypt one another in order 
to implement an all-or-nothing property in a credential system to discourage 
people from transferring individual credentials. Such key cycles also occur in 
implementations of disk encryption in, e.g., Windows Vista, that can store an 
encryption of its own secret keys to the disk in some situations. Key cycles also 
occur in some naively designed key exchange protocols of session keys given 
master keys shared among the two parties or with a key distribution center, 
where at the end of the protocol the newly exchanged key is “confirmed” by 
using it to encrypt or authenticate something that might include the master 
keys. 

Another area that has brought additional requirements on cryptographic 
primitives, and in particular that of encryption with key cycles, is the use of 
formal methods or “symbolic cryptography”. Here the question is whether sim- 
ple abstractions of cryptographic primitives exist that can be used by automated 
proof tools (model checkers or theorem provers) to prove or disprove a wide range 
of security protocols that use cryptography in a blackbox manner. The original 
abstractions used by this automation community are term algebras constructed 
from certain base types and cryptographic operators such as E and D for en- 
cryption and decryption. They are often called Dolev-Yao models after the first 
such abstraction m- As soon as one has a multi-user variant of such a model, 
the keys are terms, and from the term algebra side it is natural that keys can also 
be encrypted, i.e., most models simply assume that key cycles are allowed. Once 
cryptographic justification of such models was started in j2|, it was recognized 
that key cycles had to be excluded from the original models to get cryptographic 
results. The same holds for later results |1 126161271298411 8lT? j . 

Motivated primarily by symbolic cryptography, a definition of key-dependent 
message security (RDM security) was introduced in . It generalizes the defini- 
tion from by allowing arbitrary functions of the keys (and not just individual 
keys) as plaintexts, and by considering symmetric encryption schemes. H*3 also 
presents a definition and a construction (without proof) for the asymmetric case 
against passive attackers. In [HJ it was shown that, in the case of symmetric 
encryption, an extension of the KDM definition that additionally allows for a 
limited revelation of secret keys of honest users, called DKDM security, is suit- 
able for extending results about the justification of Dolev-Yao models to include 
protocols with key cycles. Full security in the presence of key-dependent mes- 
sages has so far only been achieved in the random oracle model. In m and 
m, the problem of implementing KDM secure symmetric encryption schemes 
without random oracles is investigated. There, solutions are given for relaxed 
variants of KDM security, e.g., security against a bounded number of queries or 
security with respect to a single key dependency function. No scheme is known, 
however, that fulfills any form of full-fledged KDM security (passive or active) 
without the use of random oracles. In d, a scheme is presented that is secure 
if the key dependency functions are guaranteed to be affine. Extensions of KDM 
security for public-key encryption to active adversaries have not been proposed 
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yet, and establishing meaningful definitions for this case indeed raises non-trivial 
problems. 

Our Contributions. We first propose a new definition of security under key- 
dependent messages, called adKDM security, that captures security against ac- 
tive attackers and adaptive corruptions in the case of public-key encryption. This 
definition incorporates several novel design choices and substantially differs from 
prior definitions for public-key security; in particular, it allows the adversary to 
iteratively construct nested encryptions without necessarily revealing inner en- 
cryptions, and it is required to keep track of the knowledge that the adversary 
maintains in an ideal setting. 

We then investigate the OAEP encryption scheme and prove that it satisfies 
adKDM security in the random oracle model, assuming the partial-domain one- 
wayness of the underlying trapdoor-permutation. This in particular shows the 
OAEP construction to constitute a suitable candidate for soundly implementing 
symbolic abstractions of cryptography (so-called computational soundness). We 
leave it as an open problem for future work to prove that our definition of adKDM 
security is sufficient for a computational soundness result. 

The need to incorporate key dependencies and the adaptive nature of adKDM 
security require substantial changes to the CCA2-security proof of OAEP. In 
particular, adKDM security does not allow for determining in advance which 
encryptions will be used as challenge encryptions. At the point of construction 
of these bitstrings, the adversary might not even know the challenge encryptions. 
Consequently, performing the reduction to the underlying assumption requires 
us to lazily construct them in order to decide as late as possible which encryption 
constitutes a challenge encryption. 


2 Preliminaries 

In this section, we present some definitions and conventions that will be used 
later on in the paper. 

Notation. Let ® denote the XOR operation, and let || denote concatenation. 
For a probabilistic algorithm B, let y «— B(x) denote assigning the output of 
B(x) to y. Let Pr[7r : X] denote the probability that 7r holds after executing the 
instructions in X (which are of the form y <— B(x)). A function in n is negligible 
if it is in nr uj( l > . A function is non-negligible if it is not negligible. We formulate 
all our results for uniform adversaries, but they hold for nonuniform adversaries 
as well. 

Definition 1 (Circuit). A circuit is a Boolean circuit with n\ + ■ ■ ■ + nt input 
bits (t > 0) and m output bits. The circuit may have arbitrary fan-in and fan- 
out, AND-, OR- and NOT-gates, and — in the case of an encryption scheme in the 
random-oracle model — gates for querying the random oracle(s). We assume that 
a circuit is always encoded by explicitly specifying all its gates and the numbers 
rii, . . . , n t , m. The evaluation f(x ±, . . . , xt) of a circuit f on bitstrings x\,...,xt 



OAEP Is Secure under Key-Dependent Messages 509 


is defined as follows: Let x\ be the result of truncating or padding Xi with 0* to the 
length ni. Then f{x i, . . . , xf) is the result of evaluating f with input . . . ||a;jQ 

Convention: Encryption is length-regular. For any encryption scheme, we 
impose the following assumption on the output of the encryption function Enc 
and the decryption function Dec: The length of the output of Enc depends only 
on the public key and the length of the message. The length of the output of 
Dec depends only on the public key and the length of the ciphertext. This can 
easily be achieved by suitable padding and encoding. 

The OAEP scheme. The optimal asymmetric encryption padding (OAEP) 
scheme HH constitutes a widely employed encryption scheme in the random 
oracle model based on a trapdoor 1-1 function. 

Definition 2 (OAEP). Let k denote the security parameter and let ko and 
k\ be functions such that ko,ki,k — ko — k\ are superlog arithmic. Assume a 
1-1 trapdoor function f with domain {0, l} fe = {0,l} fc_fe ° x {0,l} fc °. Let G : 
{0, l} ko — > {0, l} fe_fe ° and H : {0, l} fe_fe ° — ► {0, l} fc ° denote random oracles. 
The public and secret key for the OAEP encryption scheme (Enc, Dec) consists 
of a public key and a trapdoor for f. An encryption c = Enc {pk, m) with |m| = 
k— ko — ki is computed as r «— {0, l} fe ° , s := (m||0 fcl )®G(r), t:=r®H(s), c := 
/ P fc(s||*)- 

A decryption Dec (sk,c) is computed as s||t := /^(c), r := t®H{s), m)\z := 
s ® G{r) with |s| = k — ko, |t| = ko, \m\ = k — ko — k\ and \z\ = ki. If z = 0 fcl , 
the plaintext m is returned, otherwise the decryption fails with output _L. 

It has been shown in EH that the OAEP scheme is IND-CCA2 secure in the ran- 
dom oracle model under the assumption that / fulfills the following iDefinitioiTdl 
of partial-domain one-wayness. They further showed that the RSA-trapdoor per- 
mutation, which is most commonly used for the OAEP scheme, is partial-domain 
one-way. 

Definition 3 (Partial-Domain One-Wayness). A 1-1 function f: S xT — > 

range/ with key generation KeyGen^ is partial-domain one-way if for any 
polynomial-time adversary A we have that 

Pr[s = s' : pk *— KeyGen^, (s,t) S X T, s' <— A(pk, f p k(s || t))] 

is negligible in k, where A, KeyGen^, /, S , T depend on the the security parameter 
k. We sometimes call this probability the advantage of A. 

3 The Definition of adKDM 

We now present our definition of adKDM security. Since this definition incor- 
porates several novel design choices and substantially differs from prior security 

1 Not granting a circuit access to the length of its arguments is not a restriction in 
our case, since this length will always be known in advance. 
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definitions for public key security, we do not immediately present the definition. 
Instead, we start with a direct adaption of an existing definition and show using 
an example why this adaption is not sufficient. We proceed with several plausi- 
ble approaches for extending this adaption and explain why they fail. We finally 
present our definition of adKDM security and explain why it solves the problems 
observed with the tentative definitions discussed before. 

Extending DKDM security. In j^| the security notion DKDM was proposed 
for the case of symmetric key-dependent encryptions. It is the strongest notion of 
KDM security considered so far; restating it one-to-one in the public-key setting 
would yield the following definition^ 

Definition 4 (DKDM, public key setting - sketch). The DKDM oracle 
maintains a sequence of key pairs pk t , ski and a random challenge bit b. It an- 
swers to the following queries: 

— pk(j): Return pky 

— reveal(j) where j has not been used in an enc(j, ■) query: Return skj. 

— enc(j,f) where f is a circuit and j has not been used in a reveal(j) query: 
Compute mo := f{sk\,sk 2 , ■ ■ ■), m\ := 0l m °l and encrypt c := Enc (pkj,mb). 
Return c. 

— dec(j,c ) where c has not been returned by an enc(j,-) query with the same 
key index j: Return Dec (skj,c). 

A public key encryption scheme (Enc, Dec) is DKDM secure if no polynomial 
time adversary interacting with the DKDM-oracle guesses b with probability non- 
negligibly greater than 

This definition is an almost immediate generalization of the IND-CCA definition 
to the multi-session setting (i.e., with several key pairs instead of only one). 
DKDM extends IND-CCA in two ways: First, the messages that are contained 
an enc(-, •) encryption query may depend on all secret keys in the system. Second, 
one can reveal secret keys as long as the corresponding public keys have not been 
used for encrypting (otherwise one could decrypt a challenge ciphertext so that 
the definition cannot be met). 

Although the notion of DKDM has been shown to be useful for soundness 
results for a specific class of protocols, it has obvious restrictions on the class of 
protocols considered. In particular, it is not allowed to reveal a key that has been 
used for encryption. The following simple protocol illustrates that this indeed 
constitutes a restriction: Alice holds two secret keys ski, s &2 and a secret message 
m and sends the following messages to Bob: 

Ci := Enc(p&!, Enc(pfc 2 ) ui||sfci||s& 2 )), ci '■= Enc(pfc 2 ,Enc(pfc 1 ,m||sfci||sfc 2 )) 

Then Bob chooses a value £ = 1,2 and Alice sends ski to Bob. We would intu- 
itively expect the message m to stay secret since Bob learns at most one of the 

2 We have omitted one condition of their definition, namely that it should not be 
possible to generate a valid ciphertext without the knowledge of the secret key. This 
condition is not applicable to the public-key setting. 
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keys ski,sk2- However, a direct reduction against DKDM security fails. Namely, 
we have basically four possibilities to construct the messages ci , c 2 by querying 
the DKDM oracle (note that enc denotes the query to the adKDM oracle while 
Enc is the encryption algorithm): 

(i) ci := enc{l,g x ), C2 := enc (2, g- 2 ) where <71 and g 2 are circuits computing 
Enc(p* 2l m||** 1 ||** 3 ) and Enc(pk 1 ,m\\ski\\sk2), respectively (given input 
(sk 1 ,sk 2 )). 

(ii) Cl := Enc(p&i, enc(2,g)), C2 := Enc (pfc 2 , enc (1,5)) where g computes 

(hi) Cl := Enc (pkx , enc(2,g)), c 2 := enc(2, g 2 ) where g and <72 are as before, 
(iv) ci := enc(l,(?i), C2 := Enc(pfc 2 , enc(l,g)), where g and <71 are as before. 

Then, depending on the value of i chosen by Bob, we have to issue reveal (i). In 
cases (0 and (0, no reveal query is allowed since queries of the forms enc(l,-) 
and enc( 2,-) have been performed which excludes reveal queries reveal (1) and 
reveal( 2) by IDcfinition 41 Similarly, in case (0 we are not allowed to query 
reveal( 2), and in case (0 we are not allowed to query reveal ( 1) . Thus in order 
to perform the first step, we have to know in advance what the value of i will 
be and to construct ci,C2 as in case (0 or 0, respectively. Of course, in the 
present example it is possible to save the reduction proof by guessing <; however, 
it is easy to thwart this possibility by performing many such games in parallel]! A 
natural approach to extend the definition of DKDM to this case would be to allow 
to even reveal keys skj that are used in encryption queries enc(j, ■). However, a 
query enc(j, •) returns an encryption c of the message mb- So given the secret 
key skj, we could easily determine mb from c and therefore the challenge bit b. 
Therefore, we will have to distinguish between two types of encryption queries: A 
normal encryption query enc(j, f) will return the encryption of mo := f{sk \ , . . . ) 
irrespective of the value of b. A challenge encryption query challenged, /) returns 
mb where mo is as for enc(j, /) and mi := 0 1 rn ° I . This leads to the following 
tentative definition: 

Definition 5 (KDM security — tentative). The oracle T chooses a random 
bit b and accepts the following queries. 

— pkd ) and reveal (j): Return pkj and skj, respectively. decd,c): Return 
T)ec(skj,c). 

— enc(j, /(ii,..., ft)) where f is a circuit: Compute mo := f(skj 1 , . . . ,skj t ) 
and return Enc(pkj,mo). 

— challenged, f{h, ■■■ Compute mo as before, mi ol m °l and return 
Enc {pkj , mb) ■ 

3 E.g., Alice sends . . . , m [ n \ with := 

Enc(pk[^ ^^(pk^jmWkeys)), := Enc(pkif\ Enc(pfci M \ m\\keys)) and 

keys . . . ||sfc^ n) ||s^ n) . Then Bob chooses ii ,...,i n € {1,2} and 

Alice sends sk ^ , . . . , sk ^ . The fact that all keys are contained in each encryption 
also disables hybrid arguments. To the best of our knowledge, the security of this 
protocol cannot be reduced to DKDM security. 
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The oracle aborts in the following cases: reveal(j) is queried but challenged > ') has 
been queried before, challenged, ') is queried but reveal d) has been queried. decd,c) 
is queried but c was produced by challenged, ')■ A scheme is KDM secure if no 
polynomial-time adversary guesses b with probability noticeably larger than \ . 


This definition might look appealing, but it cannot be met: For example, one 
could encrypt a challenge plaintext under pk l via the query challenged, m), 
then encrypt _the key ski under pk 2 via c := enc(2, ski), and finally reveal sk 2 
via reveal( 2)0 This sequence of queries is not forbidden bv IDefinition 51 Now 
we can compute ski from c using sk 2 and then decrypt the challenge encryption 
using ski • This allows us to determine the bit b. Hence no encryption scheme can 
fulfill lDefinition 5( We hence have to relax the definition by excluding queries that 
would trivially allow to decrypt a challenge ciphertext. For this, we have to reject 
queries to the oracle that would allow the adversary to decrypt the challenge even 
in an ideal setting. For this, we keep track of the keys that the adversary can 
deduce from the queries made so far. We call this set know (the knowledge of 
the adversary) because it represents what the adversary knows ideally. The set 
know is inductively defined as follows: (a) If reveald) Fas been queried, then 
j £ know, (b) If j £ know, and a encd, f(ii, ■ ■ ■ dt)) Fas been queried, then 
ii, . . . , i n £ know, (c) If enc(j, f(ii, ■■ ., it)) has been queried and returned the 
ciphertext c, and deed, c ) has subsequently been queried, then ii, . . . , i t £ know. 
Roughly, we say that the adversary knows all keys that either were revealed or 
are contained in ciphertexts it could decrypt using keys it knows. We can now 
relax IDefinition 51 bv disallowing queries that would allow the adversary to know 
a secret key for a challenge encryption. 


Definition 6 (KDM security — tentative). KDM security is defined as in 
\Definition <5| except that the oracle T additionally aborts if a query would lead 
to the following situation: For some j £ know, a query challenged,-) has been 
performed (or is being performed). 


Introducing hidden encryptions. IDefinition 61 however, is still too weak to 
allow to adaptively choose which keys to reveal. In particular, the example pro- 
tocol given above can still not be proven secure: When producing Ci,C 2 in a 
reduction proof, we have to decide which of the ciphertexts will be created by 
challenge encryptions ( challenge (•, •) queries) and which will be created by nor- 
mal encryptions (enc(-,-)). Since we might have to invoke reveal ( 1) later, we 
may not use challenged, ') queries, and since we might have to invoke reveal( 2), 
we may not use challenged, ■) queries. But if no challenge (-,-) query is issued, 
the oracle T never uses the bit b and thus the adversary cannot guess 60 
Handling adaptive revelations of keys hence requires to further extend our 
approach. A closer inspection reveals why we failed to prove the security of 
the example protocol: We had two possible ways to construct the ciphertext 

4 We use the shorthand m and ski for the circuits outputting m and ski, respectively. 

5 Again, this problem might be remedied by guessing in advance whether ski or sk 2 
will be needed, but see footnote El for an example where guessing does not work. 
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ci. Either (a) we could ask the oracle to produce d x := Enc(pk 2 ,m\\ski\\sk2) 
and encrypt it ourselves using pk x to produce c\. Or (b) we could request the 
ciphertext Ci directly by sending to the oracle a circuit / that computes d x from 
ski,sk2- In case (B>, we are not allowed to reveal sk 2 since this would allow to 
decrypt d 1 and thus reveal m. In case ©. if we were to reveal ski this would 
allow to decrypt ci . As the plaintext d 1 for ci has been produced using a circuit 
/ from ski, sk 2 and m, the oracle has no way of knowing that d 1 is actually 
an encryption of these values (this would require an analysis of the circuit to 
determine what it does) and thus has to consider the values ski, sk^ and m to be 
leaked when a is decrypted. Thus in case ( 0 , we have to disallow the revelation 
of ski. This analysis shows that we need a way to send the following instructions 
to the oracle: “First produce the ciphertext d x as an encryption of m\\ski \\sk 2 
(where m\\ski\\sk2 is described by a suitable circuit). Do not return the value 
c[ (as otherwise we would be in case ©)• Then produce the ciphertext c 1 by 
encrypting d x . Return cp” 

Given these instructions, the oracle has enough information to deduce that 
when revealing ski, the message m is still protected by the encryption d x using 
pk 2 (the details of this deduction process are discussed below). And if only sk 2 
is revealed instead, ci cannot be a decryption and m is protected. Analogous 
reasoning applies to the construction of C2. 

Hence we have to define an oracle T that allows us to construct ciphertexts 
without revealing them. Instead, for each ciphertext we can adaptively decide 
whether to reveal it or whether we only use it inside other ciphertexts (that 
again may or may not be revealed). More concretely, whenever a query is issued 
to T, instead of directly returning the result of that query, it is stored in some 
register bitsh inside the oracle where h is a handle identifying the register. Only 
upon a special reveal query, the value bitsh is returned to the adversary. A 
challenge encryption (i.e., one whose content depends on the challenge bit b) is 
then produced as follows: First produce a plaintext m (possibly using a circuit 
and depending on other hidden strings) and assign it to register bits h±- Then, 
depending on b, assign bitshi or ol brfs '*il, respectively, to register bitsh 2 (using a 
special challenge query /12 <— C(hi)). Encrypt bitSh 2 using some key and assign 
the result to bitsh 3 ■ Finally (optionally) reveal bits h 3 0 

These considerations lead to the following definition of the adKDM oracle 
(however, for the definition of adKDM security we will additionally define which 
sequences of queries are allowed): 

Definition 7 (adKDM Oracle). The adKDM oracle T maintains two partial 
functions cmd and bits (to increase readability we write bitsh for bits[h) and 

6 This is, of course, not the only possible way to model challenge encryptions. One 
could, e.g., use a special command for producing a challenge encryption. However, 
we believe that the approach of being able to make challenge values out of arbitrary 
messages allows for more direct reductions in proofs. E.g., in our example protocol 
we could directly model the fact that m is the value that should remain hidden by 
using oracle call h' <— C(h) when bitsh contains m and then using bitsh' instead of 
bitsh in subsequent encryptions. 
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cmdh for cmd(h ) ), a set d>, a sequence of secret/public key pairs ski, pki (i € 
(which are generated when first accessed), and a bit b (the challenge bit,). The 
function cmd will store the structure of previous queries, the function bits will 
store the corresponding bitstrings, and $ will keep track of query results that 
are revealed to the adversary. We will refer to the elements in the domain of 
cmd and bits as handles in the following. Upon the first activation, b is chosen 
uniformly from {0, 1}, bits and cmd are initially undefined, and is empty. The 
oracle responds to the following commands: 

— Encryption: h! <— E(j, h ) where cmdh' has not been assigned, cmdh has been 
assigned, and j is a key index: Set bitsh 1 '■= Enc {pky bitsh ) and cmdh 1 '■= 
E(j,h). 

— Decryption: h' <— D(j. h ) where cmdh' has not been assigned, cmdh has been 
assigned, and j is a key index: Set bitsh' '■= Dec (pkj, bitsh), and cmdh' ’■= 
D(j,h). 

— Circuit evaluation: h! <— F(f, hi , . . . , h t ) where cmdh' has not been assigned, 
cmd ^ has been assigned for all i, and f is a circuit with t arguments: Set 
bitsh' '■= f(bitsh±, ■ ■ • , bitsh t ) and set cmdh' '■= F(f, hi,...,h t ). 

— Key request: h' <— K(j) where cmdh' has not been assigned and j is a key 
index: Set cmdh' ■= K(j) an d bitsh' '■= skj. 

— Challenge: h! <— C(h) where cmdh' has not been assigned and cmdh has 
been assigned: Set cmdh' '■= C(h). Ifb= 1, set bitsh 1 := bitsh, otherwise set 
bitsh 1 := 0l brfs, *l. 

— Reveal: reveal(h) where cmdh has been assigned: Add h to ( I> and return bitsh- 

— Public key request: pk(j) where j is a key index: Return pky 

The above commands in particular allow to assign a constant c to a handle h! 
by issuing h! <— F(f) where / is a nullary circuit that returns c. We abbreviate 
this as h! <— F(c). Note that the length of every bitstring is always known to 
the adversary, because Enc, Dec, and all / are length-regular. 

The knowledge of the adversary. If T can be accessed in arbitrary ways, it is 
easy to determine b, e.g., querying hi <— F(l), /i 2 ■*— C(h\ ), reveal {h-z ) will return 
b. Thus we have to restrict the adversary to queries that will not trivially allow 
to deduce b. The necessary criteria are given below. In analogy to IDdinit ion 61 
we do this by deriving a set know that characterizes what the adversary would 
ideally be able to know after the queries it performed. In contrast to lDefinition 61 
the set know does not only contain keys, but the handles of all values produced 
by the oracle that the adversary would be able to know in an ideal setting. 
Intuitively, the knowledge know is defined by the following rules: All handles 
that the adversary requested (the set F) are considered known. If the decryption 
of a message is known, then that message is considered known 0 If a circuit 
evaluation is known, all its arguments are considered known. If a challenge is 

7 It may seem surprising that by learning the result of a decryption we may learn 
something about the ciphertext. However, in fact we can get a single bit about the 
ciphertext, namely whether it is valid or not. Combining this with the application 
of circuits, we can in principle retrieve the full ciphertext. 
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known, the underlying message is considered known. If a key is known and an 
encryption of some message under that key is known, the message is considered 
known. And finally, if a decryption of some handle hi is known, and some handle 
/12 evaluates to the same bitstring as hi, and that handle /12 resulted from an 
encryption of some message m, then that message m is considered known. 

The last rule merits some additional explanation: The adversary may, e.g., 
construct and reveal an encryption c (assigned to some handle hf) of some m. 
Then it constructs a circuit / that evaluates to c (by hard-coding c into /) and 
assigns hi *— F(f). Now hi and h% refer to the same bitstring. By revealing 
the decryption of hi, the adversary will then learn m. So after this sequence of 
queries, we have to ensure that m is considered known to the adversary. This is 
ensured by the last of the above rules. The following definition formally states 
the definition of the knowledge of the adversary. 

Definition 8 (Knowledge). For partial functions cmd, bits and a set ( I>, we 
define the knowledge know = know cm d, bits,# of the adversary to be inductively 
defined as follows: 

— $ C know. 

— If h' £ know and cmdw = D(j,h) then h £ know. 

— If h! £ know and cmdh' = F(f, hi,...,h t ) then hi,...,h t £ know. 

— If h! £ know and cmdh 1 = C(h) then h £ know. 

— If h! £ know and cmdh' = F){j,hi), bits h x = bitsh 2 and cmdh 2 = E(j,hz) 
then /13 £ know. 

— If h'i,h' 2 £ know and cmdh[ = K{j ) and cmdh' 2 = E(j, h ) then h £ know. 
Note that know can be efficiently computed given ( P, cmd, and bits by adding 
handles to know according to the rules in IDetinition 81 until know does not grow 
any more. We are now ready to state the final definition of adKDM security. 
Intuitively, an encryption scheme is adKDM secure if the probability that the 
adversary guesses b correctly without performing a query that would even ideally 
allow it to retrieve a bitstring constructed using a C(-) query. 

Definition 9 (Adaptive KDM Security (adKDM)). An encryption 
scheme (Enc, Dec) is adKDM secure if for any polynomial-time adversary A 
there is a negligible function p such that the following holds: 

Pr[Guess A — ilnvalid] < | + p(k) 

where the events refer to an execution of A with input l k and oracle access to 
T (Enc , Dec) and the events are defined as follows: 

By Guess we denote the event that the adversary outputs b where b is the 
challenge bit. 

By Invalid we denote the event that h £ know cm d, bits,# with cmdh being of the 
form C{-). 

We will show that this definition can be met (at least in the random oracle 
model) in the next section. Clearly adKDM security implies DKDM security, 
since if we can only reveal keys that are not used for decrypting, the plaintexts 
of the challenge encryptions will never be in know. 
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Adaptive KDM security in the random oracle model. As the OAEP 
construction is formulated in the random oracle model, we need to know how 
IDefinition 91 needs to be adapted when used in the random oracle model. In this 
case, the adversary A is given access to the random oracle, and the circuits / 
passed to the adKDM oracle are allowed to contain invocations of the random 
oracle. Furthermore, the key generation, encryption, and decryption algorithms 
may contain invocations of the random oracle. 

On simulation-based notions. We often motivated our design choices above 
by comparison with an ideal setting in which the adversary knows exactly the 
bitstrings associated with handles in know. This leads to the question whether 
it is possible to instead directly define security under key-dependent message 
attacks using a simulation-based definition, i.e., to define an ideal functionality 
that handles encryption and decryption queries in an ideal fashion. This ap- 
proach has been successfully used to formulate IND-CCA security in the UC 
framework na- Their approach, however, strongly depends on the fact that the 
functionality only needs to output public keys and (fake) encryptions (secret 
keys are only implicitly present due to the ability to use the functionality to 
decrypt messages) @ It is currently unclear how this approach could be extended 
to a functionality that can output secret keys. (It is of course possible to define a 
functionality that outputs secret keys as long as no encryption queries have been 
performed for that key, but this lead to a definition that is too weak to handle, 
e.g., our example protocol and that would roughly correspond to IDefinition 41 1 
This difficulty persists if we do not use the strong UC model [I0j but instead 
the weaker stand-alone model as in j22| Chapter 7]. Consequently, although a 
simulation-based definition of KDM security might be very useful, it is currently 
unknown how to come up with such a definition. 


4 OAEP Is adKDM-Secure 

We now prove the adKDM security of the OAEP scheme for a partial-domain 
one-way function. In particular, since the RSA permutation is partial-domain 
one-way under the RSA assumption jT[|, the adKDM security of RSA-OAEP 
follows. 

Theorem 10 (OAEP is adKDM secure). If f is a partial- domain one-way 
trapdoor 1-1 function, then the OAEP scheme (Enc,Dec) based on f is adKDM 
secure in the random oracle model. 

To show this theorem, we first define an alternative characterization of partial- 
domain one-wayness. 

8 Technically, the reason is that a simulator has to be constructed that chooses the 
outputs of the functionality. As long as only public keys and ciphertexts are output, 
fake ciphertexts can be used since they cannot be decrypted. If the simulator had to 
generate secret keys, the fake ciphertexts could be decrypted and recognized. 
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Definition 11 (PD- Oracle). The PD-oracle Vf for a trapdoor 1-1 function f : 
SxT — > range / (that may depend on a security parameter) maintains sequences 
of public/secret key pairs ski,pk i (generated on first use). It understands the 
following queries: 

— pk(j ) and sk(j): Return pkj or skj, respectively. 

— challenge(h,j): If h has already been used, ignore this query. Let jh := j. 
Choose (sh,th) uniformly from SxT. Set Ch := f p k. ( ). Return Ch- 

— decrypt(h): Return ( Sh,th )• 

— xdecrypt(c,j) where ( c,j ) ^ ( Ch,jh ) for all h. Check whether f~^.(c) = 
{sh,th) for some h. If so, return ( Sh,th )• Otherwise return _L. 

— check (s): Return the first h with Sh = s. If no such h exists, return _L. 

By PDBreak we denote the event that a query check (s ) is performed such that 

— The query returns h ^ _L . 

— No query sk(jh) and no query decrypt(h) has been performed before the cur- 
rent query. 

Lemma 12. If f is partial- domain oneway, then for any polynomial-time ad- 
versary A querying Vf we have that Pr[PDBreak] is negligible in the security 
parameter. 

The proof is given in Appendix E] We additionally define a variant of the notion 
of knowledge as defined in IDefinition 81 We call this variant lazy knowledge. 

Definition 13 (Lazy knowledge). For partial functions cmd,bits and a set 
<I>, we define the lazy knowledge Iknow = Iknow cm d,bits,& of the adversary to be 
inductively defined as follows: 

— $ C Iknow . 

— If h! G Iknow and cmdh> = D(j,h) then h G Iknow. 

— If h! G Iknow and cmdh' = F(f, hi, . . . , h t ) then hi,...,ht G Iknow. 

— If h! G Iknow and cmdh' = C(h) then h G Iknow. 

— If h! ,hi,h 2 &lknow, cmdh' = D(j,hi), bitsh 1 = bitsh 2 a,nd cmdh 2 =E(j,h 3 ) 

then ha G Iknow. 

— If h! x ,h! % G Iknow and cmd ^ = K(j) and cmdh> 2 = E{j,h) then h G Iknow. 

The only change with respect to IDefinition 81 is that in the fifth rule we require 
that h\,h 2 G Iknow. In IDefinition 131 all rules depend only on values bitsh for 
which h G Iknow; thus one can efficiently compute Iknow without accessing bitsh 
for values h £ Iknow by adding handles to Iknow according to these rules until 
Iknow does not grow any further. We call this algorithm the lazy knowledge 
algorithm. Note that Iknow C know. 

Proof sketch ( of i'Theorem 1(A) . To prove ITTicorcin lfjl we give a sequence of games 
that transforms an attack against the adKDM security of the OAEP scheme into 
an attack against the PD-oracle. This proof sketch only contains the proof struc- 
ture and highlights selected steps. The full proof is given in the full version 0 . 

Gamei. The adversary A runs with access to the unmodified adKDM oracle 
T. We assume that T invokes an encryption oracle £ for encrypting and a 


518 


M. Backes, M. Diirmuth, and D. Unruh 


decryption oracle V for decrypting. In particular, the encryption oracle £ 
performs the following actions in the i - th query: 

r {0, l} feo , g := G(r), s := (m||0 fel ) ®g, h := H(s), t := r®h, c := f p k(s,t). 

The decryption oracle V acts as follows, assuming key index j and ciphertext 
c: 

- (s,t) := r := t © H(s), (m, z) := s © G(r) with \m\ = k — ki — ko 

and \z\ = k\. 

— If z = 0 fcl , return m, otherwise return _L. 

Game 2 . We change the encryption oracle to first choose the ciphertext c and 
then compute the values s,t,r,h,t,g from it, i.e., upon the i-tli query the 
encryption oracle does the following: 

0,1}*-*° x{0,l} fc °, c^f pk {s,t), r 4- {0, l} fc °, h:=r®f, g := (m||0 fcl )®s 

In particular, the values h and g are not retrieved from the oracles G and 
H any more. In order to keep the distribution of the values c, s, t , r, h, t, g 
consistent with the answers of the oracles G and H, the oracles G and H are 
additionally modified to return the values g and h chosen by the encryption 
oracle. We show that the probability of a successful attack is modified only 
by a negligible amount with respect to IGameiI 
GAME 3 . We now change the definition of what constitutes a successful attack. In 
IGameiHCame?! we considered it a successful attack if the adversary guessed 
the bit b chosen by the adKDM oracle T without performing queries such 
that the knowledge in the sense of IDefinition 81 would contain a handle cor- 
responding to a query of the form G(-); see If definition 01 
Now, in |Game ; i | we consider it to be a successful attack if the adversary 
guessed b without performing queries such that the lazy knowledge in the 
sense of IDefinition 131 does not contain a handle corresponding to a query 
C(-). Since the lazy knowledge is a subset of the knowledge, this represents 
a weakening of the restrictions put on the adversary. Thus the probability of 
an attack in IG ame.sH s upper-bound by the probability of an attack in |G ame?I 
GAME 4 . This step is arguably the most important step in the proof. In |Game ; .| 
bitstrings bitsh associated to handles h are often computed but never used. 
For example, the adversary might perform a query h <— E{. . . ) and never 
use the handle h again. More importantly, however, even if the adversary 
performs a query h' <— E(j, h ) for that handle h, the value bitsh does not 
need to be computed due to the following observation: The encryption oracle 
as introduced in |Game?I chooses the ciphertext c at random. The value g 
(which is the only value depending on the plaintext m) is only needed for 
suitably reprogramming the oracles G (namely such that G(r) = g ). Thus we 
can delay the computation of g until G is queried at position r. Thus in case 
of a query h! *— E(j, h), the value m = bitsh is not needed for computing 
bitsh'- We use this fact to rewrite the whole game |Game :{ | such that it only 
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computes a value bitsh when it is actually needed for computing some output 
sent to the adversary or for computing the lazy knowledge. 

The bit b is only used in this game if a value bitsh is computed that 
corresponds to a query h <— C(-). If this is not the case, the communication 
between the adversary and T is independent of b. Hence, for proving that 
the probability of attack in the sense of |GAME :i 1 is only negligibly larger than 
\ (which then shows [Theorem 1 01) , it is sufficient to show that only with 
negligible probability, a value bitsh is computed such that h is not in the lazy 
knowledge. Namely, as long as no such value bitsh is computed, the adversary 
cannot have a higher probability in guessing b than \ unless h 6 Iknow. 

Games. Now we replace the decryption oracle by a plaintext extractor. More 
concretely, the decryption oracle performs the following steps when given a 
ciphertext c: 

(a) First, it checks whether c = f p k(s,t ) for some pair (s,t) generated by the 
encryption oracleH Then values (s, t) are known such that f p k(s, t) = c, and 
the oracle can decrypt c without accessing the secret key sk. 

(b) Otherwise, it checks whether for some s that has been computed by the 
encryption oracle, there exists a value t such that f p k{s,t) = c. (Doing this 
efficiently requires the secret key; otherwise we had to iterate over all possible 
values t.) If so, reject the ciphertext. 

(c) Otherwise, for all values s, r that have been generated so far, compute t := 
r ® H(s ) and ( m,z ) = s ® G(r). Then check whether f p k(s,t ) = c and 
z = 0 kl . If so, return m. Otherwise reject the ciphertext. 

We can show that this plaintext extractor is a good simulation of the orig- 
inal decryption oracle (in particular, the adversary is able to produce an s 
triggering rejection in © only if the decryption would fail anyway). Thus 
the probability that a value bitsh is computed such that h is not in the lazy 
knowledge does not increase by a non- negligible amount. 

Gameq. In this final step, we modify |Game,-,| not to generate the public/secret 
key pairs on its own, but to use the PD-oracle V defined in IDefinition 111 In 
particular, we make the following changes: 

- When the secret key skj is needed (for computing bitsh for a h *— K(j) 
query), query sk(j) from V. 

— When producing a ciphertext bits^ (that are produced just to be random 
images of f p k), use challenge(h ' , j) where j is the corresponding key index. 

— In the decryption oracle, for checking the condition (jnj) in |Game.-,I we distin- 
guish two cases. If c was produced by the encryption oracle the decryption 
oracle sends a decrypt(h) to V where h is the query where c was produced. 
Otherwise it sends an xdecrypt(c, j) query to V where j is the index of the 
key used in the decryption query. In both cases, if the check in (jgj) would 
have succeeded, V will send back a preimage (s, t) of c. 

- The check © is performed by sending check(s) to V. 

A case analysis reveals that if a value bitsh is computed such that h is not in 
the lazy knowledge, then the event PDBreak (as in IDefinition 1111 occurs. By 

9 This does not imply that c has been generated by the encryption oracle since the 
encryption oracle might have used a different public key pk at that time. 
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II .('Tinna T21 this can only happen with negligible probability. Thus no value 
bitSh is computed such that h is not in the lazy knowledge, and therefore 
the advantage of the adversary is negligible (as discussed in |Game 4 D . □ 
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The machine B that implements the PD-oracle with slight changes: Let q be 
an upper bound on the number of queries performed by A. Then B gets as input 
a key pair pk* ,sk* , values (s'* , t*) 6 S x T and a value c*. Let j* be the ii-th 
key index that is used in A’s queries, and let h* the 22-th handle that is used in 
a query of the form challenge(h, j*). Then B answers to A's queries as follows 
(for simplicity, if we write we mean an application of the secret key sk): 

— pk(j ): If j = j*, return pk* , otherwise return pk ;] . 

— sk(j): If j = j*, return sk*, otherwise return skj. 

— challenge(h, j): If h has already been used, ignore this query. 

• If h = h* (and thus also j = j*) then set Ch := c* and return c/j. 

• If h / h* then choose ( Sh,th ) uniformly from S x T. Set Ch := 
f P k jh (sh,th)- Return c h . 

— decrypt(h): If h = h*, return (s*,t*). Otherwise return ( Sh,th ). 

— xdecrypt(c, j) where (c, j) 7^ ( Ch,jh ) for all h. This is equivalent to the fol- 
lowing: 

• If j ^ j * then check whether (c) = ( Sh,th ) for some h 7^ h* or 
fpkj, (fpk.( c )) = c/j*. If so, return /“^(c). Otherwise, return _L. 

• If j = j* then test if f p k . ( Sh , th ) = c for any h 7^ h*. If such an h exists, 
output ( Sh,th )• Otherwise, return _L. 

— check(s): If s = Sh for some h, return the first h with Sh = s. If sk(j*) or 
decrypt(h*) has been queried, check whether s = s*. If so, return h* . 

We claim that this machine B behaves identically to the PD-oracle V until the 
event PDBreak occurs and that A’s view is independent of 21,22 until the event 
PDBreak occurs (assuming that the inputs sk* ,pk* are an honestly generated 
key pair, (s* ,t*) is uniformly distributed on S X T and c* = f p k- (s* ,£*))■ For 
the queries pk, sk, challenge, and decrypt this is straightforward. In the case of 
xdecrypt we distinguish two cases: For j 7^ j*, the check performed is equivalent 
to checking whether (c) = ( Sh,th ) for some h 7^ h* or /“^.(c) = (s*,t*) 
and then returning h or h* , respectively. Thus in this case the answer to the 
query xdecrypt is the same as that the PD-oracle V would give. For j = j*, in 
comparison to V, the check whether f p k 3 (s* ,t*) = c is missing. However, if this 
check held true, we would have that (c, j ) = (c* , j*) which is excluded. To see that 
the query check(s) gives the same answers in B and V until PDBreak occurs, note 
that the only case where check (s) would give another answer in V is when s = s* 
but neither sk(j*) nor decrypt(h*) have been queried. However, in this case h* 
would be returned in V, thus PDBreak occurs FI So altogether, we have that B 
behaves identically to V and A’s view is independent of 21,22 until the event 
PDBreak occurs. By PDBreakj/ j' , denote the event that check(s) is queried with 
s = Sh where h is the i' 2 - th handle used by A, and no query sk(jh) or decrypt(h) 
has been performed where jh is the -th key index used by A. Obviously, if 


10 In slight abuse of notation, we denote by PDBreak not the event that h 7^ _L is returned 
without a query of sk(jh) or decrypt(h), but that some check(s) is queried such that 
s = Sh and no query sk(jh) or decrypt(h) has been performed. Since for V these are 
equivalent, it is enough to show the lemma w.r.t. this slightly changed definition. 
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PDBreak occurs, then PDBreak,/ ^ occurs for some i\ , i' 2 € {l,...,g}. Since the 
view of A is independent of ii, *2, we have that Pr[PDBreak,;, ,, 2 ] > Ar Pr[PDBreak]. 
So it is enough to show that Pr[PDBreak ilii2 ] =: £ is negligible. Observe that in 
the description of B , in case of the event PDBreak,;, ,; 2 the inputs sk*,s*,h* are 
never accessed. So if we run B with the inputs sk*,s*,h* set to _L, PDBreak,, ,; 2 
still occurs with probability at least e. Further, PDBreak,, , 2 implies that check(s) 
is called an s satisfying f~ 1 (c*) = _L. So if let B output one of the values s used 
in check (s) queries (randomly chosen), we break the partial-domain one-wayness 
of / with probability at least s/q. Thus by contradiction, e must be negligible. 
Thus Pr[PDBreak] is negligible in an execution of B and thus also in one of V. □ 
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Abstract. In this paper, we present a correlation attack on Sosemanuk 
with complexity less than 2 150 . Sosemanuk is a software oriented stream 
cipher proposed by Berbain et al. to the eSTREAM call for stream ci- 
pher and has been selected in the final portfolio. Sosemanuk consists of a 
linear feedback shift register (LFSR) of ten 32-bit words and a finite state 
machine(FSM) of two 32-bit words. By combining linear approximation 
relations regarding the FSM update function, the FSM output function 
and the keystream output function, it is possible to derive linear approx- 
imation relations with correlation — 2 -21 ' 41 involving only the keystream 
words and the LFSR initial state. Using such linear approximation rela- 
tions, we mount a correlation attack with complexity 2 147 ' 88 and success 
probability 99% to recover the initial internal state of 384 bits. We also 
mount a correlation attack on SNOW 2.0 with complexity 2 204 " 38 . 

Keywords: stream cipher, Sosemanuk, SNOW 2.0, correlation attack, 
linear mask. 


1 Introduction 

Sosemanuk 0 is a software oriented stream cipher proposed by Berbain et al. to 
the eSTREAM call for stream cipher and has been selected in the final portfolio. 
The merits of Sosemanuk has been recognized as its considerable security margin 
and moderate performance [2] ■ 

Sosemanuk is based on the stream cipher SNOW 2. oca and the block cipher 
Serpent p. Though SNOW 2.0 is a highly reputed stream cipher, it is vulnerable 
to linear distinguishing attacks using linear masks [Till 5j . To strengthen against 
linear distinguishing attacks, Sosemanuk applies the multiplication modulo 2 32 
with a bit rotation in the FSM update function and a Serpent S-box in bit slice 
mode in the keystream output function. As of now, there are no known attacks 
against Sosemanuk with complexity less than 2 226 pj . 

Linear masking has been used in the linear distinguishing attacks on word- 
based stream ciphers such as SNOW 1.00, SNOW 2.0, NLSfZJ, and DragonjB|. 
Coppersmith et al.|2j presented a linear distinguishing attack on SNOW 1.0. 
They identified linear approximation relations of large correlation involving only 
the LFSR states and the keystream words. Then using simple bitwise recur- 
rence relations between the LFSR state words, they were able to mount a linear 
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© International Association for Cryptologic Research 2008 


Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks 


525 


distinguishing attack on SNOW 1.0. Watanabe et al-HS! presented a linear dis- 
tinguishing attack on SNOW 2.0 and then Nyberg and Wallen [Hj refined the 
attack. 

On the other hand, Berbain et al. 0] presented a correlation attack on Grain 
using linear approximation relations between the initial LFSR state and the 
keystream bits to recover the initial LFSR state. As to solving systems of linear 
approximation equations, similar technique was used in jO] and iterative decoding 
technique was used in 021- 

In this paper, combining the linear masking method with the techniques in 0] 
using fast Walsh transform to recover the initial LFSR state of Grain, we mount 
a correlation attack on Sosemanuk. The time, data and memory complexity are 
all less than 2 150 . 

This paper is organized as follows. In Sect. El we present a description of 
Sosemanuk. In Sect. E| we show how to get approximation relations between the 
initial LFSR state and the keystream words. In Sect. 01 we describe the attack 
using the approximation relations. In Sect. EJ we present simulation results. In 
Sect. 0 we present a correlation attack on SNOW 2.0. We conclude in Sect. 0 

2 Preliminaries 

2.1 Notations and Definitions 

We define the correlation of a function with respect to masks as follows. Let 
/ : (GF(2)") fc — > GF(2) n be a function and let A 0 , Ai, . . . , A*, be n-bit masks. 
Then the correlation of / with respect to the tuple (Jo! Ai, . . . A&) of masks is 
defined as 

«/(Iq;Al • • A=) := 2Prob(A 0 • f(x i, . . . ,x h ) = A • fflu, , © A • »fc) - 1, 

where • represents the inner product which will be omitted henceforth. We also 
define the correlation of an approximation relation as 

2 Prob(the approximation holds) — 1 . 

The following notations will be used in the following sections. 

— wt(x): the Hamming weight of a binary vector or a 32-bit word x 

- EH: addition modulo 2 32 

— X : multiplication modulo 2 32 

— [ii, . . . , £ m ]: the 32-bit linear mask 2 n + . . . + T" m (*j, . . . , i m are distinct 
integers in between 0 and 31.) 

- c+(r 0 ; A) ■ • ■ i An): the correlation of f(x i, . . . , x m ) = x\ EH . . . EH x m with 
respect to the tuple (A; A, • ■ ■ A) of 32-bit masks 

- c2 + (F) := c + (A A A) for 32-bit linear mask A 

— c3+(A) := c+(A A A A) for 32-bit linear mask F 

— c r (A); Ai): the correlation of Trans(x) with respect to the tuple (Aq; A) of 
32-bit masks 

- c2x(A) = Cx(A; A) for 32-bit linear mask A 

- X(j) : j-th least significant bit of a nibble, a byte or a 32-bit word x 
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2.2 Description of Sosemanuk 

The structure of Sosemanuk [3| is depicted in Fig. Q Sosemanuk consists of three 
main components: a 10-word linear feedback shift register, a 2-word finite state 
machine, and a nonlinear output function. Sosemanuk is initialized with the key 
of length in between 128 and 256 and the 128-bit initialization value. The output 
of the cipher is a sequence of 32-bit keystream words (zt)t>\- The LFSR state 
at time t is denoted by LR l = (s t+x , s t+ 2 , ■ ■ ■ , s t +w)-(t = 0 designates the time 
after initialization.) The LFSR is updated using the recurrence relation 

st+io = st+9 ® cc _1 st+3 ® as t for all t > 1, 
where a is a zero of the primitive polynomial 

P(X) = X 4 + f3 23 X 3 + (3 245 X 2 + /3 48 X + (3 239 

on GF(2 8 )(W) and GF(2 8 ) = GF(2)[7], where 7 is a zero of the primitive poly- 
nomial 

Q(X) = X s + X 7 + X 5 + X 3 + 1 

on GF(2)(W). The FSM state at time t is denoted by (Rl u R2 t ). The FSM is 
updated as follows. 

Rl t = R2t-i ffl (s t+ 1 ® lsb(Rl t _i)s t+8 ), 

R2 t = Trans(Rl t _i) = (M x Rl t _i) <<<7 , 

where M = 0x54655307. The FSM has output 

ft = (st+9 ffl Rlt) ® R2j . 

The keystream words are obtained as follows. 

(z t + 3 , z t + 2 , z t +i,z t ) = Serpentl(f t+3 , / t+2 , f t + 1, ft) ® (st+ 3, s t + 2 , s t +i, s t ) 

( t = l(mod 4)) 

where Serpentl denotes the Serpent S-box S 2 applied in bit slice mode. Four 
words are output per 4 LFSR clockings. 

3 Linear Approximations 

In this section, we get linear approximation relations involving only the LFSR 
states and the keystream words with non-negligible correlation by approximating 
the FSM update functions, the FSM output functions, and the keystream output 
function using linear masks with non-negligible correlation. 

Let a t = lsb(Rlt). We consider the following approximations using 32-bit 
linear masks F by replacing all operations (modular additions and the Trans 
function) by XORs in the FSM update function and the FSM output function: 

RRl-t+i = rR2t ® r(st+2 ® atSt+ 9 ), 

FR2t_|_i = rRl u 

rf t = rs t+ 9 ® rRi t ® rR2 t , 
r ft+i = r s t+10 ® r Ri t+ i ® r R2 t+ i . 
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Fig. 1. The Structure of Sosemanuk 

XORing the above relations and applying the Piling-Up Lemma, we have the 
approximation 

r{ft © ft+i ) = r st +2 © atF st+g © r st+g © r st+io (i) 

with correlation c 2 + (U) 3 c 2 t(U) assuming that the four linear approximations 
are independent. 

However the way of computing the correlation as above is not accurate since 
the approximation relations have high dependencies. For example, approxima- 
tions of two modular additions with correlations Ci, eg do not necessarily yield an 
approximation with correlation Ci Oi . So we need to consider approximation rela- 
tions which do not have obvious dependencies. We have the following equations 
regarding the internal states and keystream words: 

ft © -R2 t = s t+9 EH Trans - 1 (R2 t+ i), 

ft+i © R2t+i = st+io EH (-R2 t EE3 (st+2 © atSt+g)) . 

We consider the following associated approximation relations 
r ft® F -R2 1 = r St+9 © F i?2t+i , 

Aft+i © AR2t+i = d.st+io © AR2t © Ast+2 © atAst+g ■ 

where r and A are linear masks as depicted in Fig. 0 The correlations of the 
above approximations are 

^c + (r ; r,<?)c T (T; 0) 


and c3+(yl), respectively. 
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Fig. 2. Some Linear Masking of Sosemanuk 


Note that the first correlation is a composite correlation of the function X 2 = 
Trans -1 (£ 3 ) and the function y = Xi S3 x-2 with respect to (T ; F, T) which can 
be computed as a sum of partial correlations jl 31 Theorem So if we let 

r = A, we have the same approximation relation © with correlation 

c3 + (r)^c + (r;r,^)c r (r ; ^) . 

< 2 > 

In order to remove terms involving f t and /*+i in o, we will utilize a linear 
approximation relation regarding the keystream output function that comes from 
the third S-box S2 of the block cipher Serpent in bit slice mode. 

unsigned char S2[16] = {8,6,7,9,3,12,10,15,13,1,14,4,0,11,5,2} 

S2 has maximal linear correlation Regarding the function y = S2 (x) , we have 
8 linear approximation relations with maximal correlation tj which is of the form 

X(i) + £(i+i) + (terms involving only y) = 0 . 
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Each of such approximation relations gives linear approximation relations re- 
garding the keystream output function. We will use the relation 

*(0) + *(l) + 2/(o) + 2/(3) = 0 

which induces the following relation for any j = 0, . . . , 31, 

(/t)(j) ® (ft+ l)(j) ® ® ( s i)(j) ® (^it+3)y) ffi (st+3 )(j) = 0, 

with correlation \ when t = l(mod 4). Thus if F is a linear mask, then 

r{ft ® ft+ i ) ® r Zt ® rst® rzt+s © rst+3 = 0, (2) 

holds with correlation (4) wt ^ r ) when t = l(mod 4). Noting that 
atr st+9 ® r st+9 = o 

holds with correlation i , we have linear approximation Q involving only LFSR 
states and keystream words by XORing relations © and @ 

r St ®r st+2 ® f st +3 ® f s t+io = rzt® r zt + 3 ( 3 ) 

with correlation 

C(r) := (I)wtT) + 1 c3 +(r ) ^ c+{ r: T, ^)c r (r ; </>) 

when t m l(mod 4), assuming that the approximations are independent. Note 
that we don’t see obvious dependencies between the approximations given above. 
We check the validity of our estimation by simulations described in Sect. 0 

3.1 Search for Linear Masks 

We try to find T such that \C(r)\ is as large as possible. Taking into considera- 
tion the factor (|) wt ^ r \ we confined the search to masks of weight less than or 
equal to 5. Furthermore, we have the following observation from many examples 
though we don’t have a proof: 

- If c2 t (T) = 0, then (7(F) = 0. 

Based on this observation, we compute C(F) for a given mask F in the following 
way: 

If c2 t (F) y^O, then 

1. we compute c3 + (F) using [HJ Theorem 1] regarding correlation of modular 
addition. 

2. We compute C +(T; ^) c r(F; $) using [HJ Theorem 1] and fast Walsh 

transform. Once F is fixed, we can compute c+(F;F, for any ( P using 
the description with finite automaton in m. It turns out that for each F, 
c + (F ; F, P) = 0 except for most <P's. Using fast Walsh transform, for each 
fixed F, we can compute Ct(F ; <P) for all <P with time complexity 2 37 and 
memory complexity 2 32 . 
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Table 1. Correlations with respect to some linear masks of weight 4 


p 

I°g 2 (|c3+(P)|) 

log a (|AH) 

-(wt(P) + 1) 

|C(P)| 

25,14, 13,0 

-3.17 

-14.33 

-5 

2 -^.bU 

25, 24, 14, 0 

-3.17 

-13.24 

-5 


25, 22, 18, 0 

-4.55 

-15.13 

-5 



Then we obtain the following results: 

- There does not exist a mask P of weight 1,2, or 3 such that \C(F)\ > 2~ 29 . 

- The only masks P of weight 2 such that C(P) ^ 0 are [i, i+25] (i = 0, . . . , 6). 

- There exist masks P of weight 4 such that |C(P)| > 2 -25 . Some of them are 
listed in Table □ 

We also considered some masks P of the form [*, i + 25, j, k, l ], but we could not 
find one such that |C(P)| > 2 -25 . Thus the best linear mask we found out is 
[25, 24, 14, 0], for which the correlation is — 2 -2141 . 

4 Correlation Attack on Sosemanuk 

In this section, we describe a correlation attack against Sosemanuk recovering the 
initial internal state. Using the approximation relations 0 involving only LFSR 
state words and keystream words with non-negligible correlation obtained in the 
preceding section, we apply the techniques in using fast Walsh transform to 
mount the attack. 

Getting Approximation Relations between Initial LFSR State and 
Keystream Words. Let P be the linear mask [25,24,14,0], k = C{r) = 
_2 - 21 -4i, and e = k /2 = 2 -22 ' 41 throughout this section. Starting with the 
approximation (J3) with correlation n, we can obtain arbitrarily many linear ap- 
proximations with correlation k involving the initial LFSR state si, ■ ■ ■ , sio and 
the keystream words using the relation 

(Co, A , • • ■ , Pg) ■ {s t+ j,s t+ j+ 1, • ■ • , st+j+si) 

= (^'(Co,Pi,- • ■ ,A)) • (sf, s t +i, ■ ■ • ,s t + 9) 
for each j > 0, where Q is the “dual” of the LFSR update transformation and is 
given by 

S(P 0 , A, P 2 , P 3 , P 4 , A, P 6 , P 7 , P 8 , P 9 ) 

= (a*P 9 , Po, Pi, P 2 ® (a _1 )*P 9 , P3, P4, P5, P6, P7, Fg ® P 9 ), 

where a*P and (a _1 )*P are 32-bit linear masks such that (a* F)(x) = r{ax) 
and ((a -1 )*P)(a;) = r{a~ l x) for each 32-bit x. 

To be more explicit, the approximation relations © can be rewritten a 

(P® a*P,0,P,P® (a _1 )*P, 0,0, 0,0,0, P) • (si, - • • ,sio) = P21 ® Pz 4 

(P® a*P,0,P,P® (a -1 )*P, 0,0, 0,0,0, P) • (s 5 ,- ■ ■ ,si 4 ) = Pz 5 ® Tzg 

(P ® Q!*P, 0, P, P ® (o: 4 )*P, 0,0, 0,0,0, P) • (s 9 , • • • , Sl 8 ) = r Zg ® P ^i 2 


(4) 
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which are again equivalent to 

(r © a* r, o,r,r© ( a. y* r, o, o, o, o, o, t 1 ) ■ (si, ■ ■ • , sio) = r%i ® r 
r(r ® ex* r, o,r,r©( a 4 )*f, 0,0,0, 0,0, f) • (si, • ■ • , sio) = rz$ © rzg 
r 2 (r © a*r, 0, r, r © {a^yr, 0, 0, 0, 0, 0, r) • ( fll , ■ • • , Sl0 ) = r Z9 © r Zl2 w 

where T = Q A . Thus the complexity of getting R relations between the initial 
LFSR state and the keystream words is comparable to the complexity of getting 
128.R bits of keystream. 

Recovering Part of the Initial LFSR State. We apply the “Second LFSR 
Derivation Technique” in 0 . Let n = 320 be the size of the LFSR state in bits 
and m < n. Let e' = 2e 2 = 2 -43 - 82 and N = (|p) 2 , where A satisfies 



Let R = yj N2 n ~ m+1 . Let ,u n be the bits of the LFSR initial state 

si,-- - ,sio- Suppose we have R linear approximation relations of correlation 
k involving tq’s. Let i\, ■ ■ ■ ,i m be any integers such that 1 < h < . ■ . < i m < n. 
XORing pairs of those R equations, we get about R(R— l)2 m_n_1 sa N approx- 
imation relations with correlation 2e' involving only Uj 1 , . . . , Ui m among Uj's. Let 
these relations be 


afjiii* + 1- oP im Ui m = V. (j = 1, . . . , N) 


(6) 


Let us define the function a : GF(2) m — > Z by 

cr(ai,--- ,a m ) = \{j £ : (a J h , . . . , aj m ) = (a 1 ,...,a m ), V = 0}| 

-\{je{l,...,N}:(ai i ,..., a ’J = (a 1 ,...,a m ), V = 1 }| 

Let W be the fast Walsh transform defined by 




v£GF(2) 


for / : GF(2) m — > Z. Note that, for each («<,,••• ,u im ), W{a)( Uil ,- ■ ■ ,u im ) is 

the number of relations in 0 satisfied by(u* 1 , • ■ ■ , u im ) , . 

— the number of relations in 0) not satisfied by(u, 1 , • • • , u-i m ) . ' 

For the right value of , ■ ■ ■ , tq m ), above nrnnber follows the normal distri- 
bution N(2iW,iV(l — 4e' 2 )). So, using N( 1 — 4e' 2 ) « N, for the right value of 
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Table 2. Complexity of the Attack 



with Precomputation 

without Precomputation 


time(unit) memory(bit) data(bit) 

time(unit) memory(bit) data(bit) 

Precomputation 

2 147 ' 4 ' 2 14BJ4 


Online computation 

2 i^.do 2 i^.oo 2 i*o.du 

2-l.4Y.88 2 14Y - 1U 2 i4i>bU 


But for random (u,i % , ■ ■ ■ , u lm ) , (0) follows the distribution N(0, N). So for ran- 
dom {ui x , ■ ■ ■ , Ui m ), 

Prob ^W(a)(ui 1 ,- ■ ■ ,u im ) > = -1= J e“4 dt = 2~ m . 

Thus, when we use the threshold value | Ne 1 for determining whether a partial 
LFSR state candidate (uj x , • • • , u lm ) is the right one, we have non-detection 
probability less than -^= e~~ dt and false alarm rate 2~ m . 

Complexity of the Attack. The attack can be performed in two ways. One 
way is to precompute the coefficients (o| , • • • , aj m ) and then perform all other 
computations in online phase. The other is to perform all the computations 
online. Complexity of both ways are described below and summarized in Table 0 

Attack with Precomputation. To recover partial bits , • • • , u lm of the initial 
initial state, in the precomputation phase, we get the coefficients of the left 
hand sides of the R approximation relations 0 between the LFSR initial states 
and the keystream words. Store the (320 + [log 2 (R)])-bit values (Ui, i) ( i = 
0, • • • , R — 1) in a list, where 

Ui :=F(r®a*r,o,r,r® (a^yr, o,o, 0,0,0, r) 

for each i. Then sort the list according to the components in {l,--- ,m} — 
{»!,■■■ , i„i}- For each pair (i,k) such that the components of Ui and Uk in 
{1, - • • ,m} — {*!,••• , i rn } coincides, compute X i t k := (Ui ® Uk restricted to 
ii-th, • • • , i m -th components), and store (X^*,, i, k ) in a list. The list has about N 
entries of size m+2 [log 2 (if)] . In the online phase, set the function a : GF(2) m — 
Z as zero. Let Wj = T zu+\+rzn + A for each i = 0, • • • , R— 1. For each (X^, i, k ) 
in the list, compute the value w* + Wk and update a. (The update rule is that 
a(Xi t k ) increases by 1 if Wi + Wk = 0 and decreases by 1 otherwise.) Perform the 
fast Walsh transform to a and check if there is some (u ^ , ■ ■ ■ , Ui rn ) such that 
W(a)(ui ± , ■ ■ ■ ,Ui m ) > | Ne'. The complexity of the above attack to recover m 
bits of the initial LFSR state is as follows. The complexity of the above attack to 
recover m bits of the initial LFSR state is as follows. We assume the complexity 
of the basic operations as in Table 0 The precomputation phase has time com- 
plexity of about 128 J?+ Rlog 2 (R)(320 + [log 2 (/?,)]) + ( N + i£)(320 + |"log 2 (ii)]) 
and memory requirement of i?(320 + [log 2 (i?)]) + N(m + 2[log 2 (R)"|) bits if 
we apply a sorting algorithm of small memory requirement. The online phase 
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Table 3. Complexity of basic operations 


operations 

time complexity 

XOR of two fc-bit words 

k 

Comparison of two fe-bit words 

k 

Sorting a list with r fc-bit entries 

kr log 2 (r) 

Walsh transform for 2 m fc-bit integers 

km2 m 


takes 2 m [~log 2 (7V)"| -bits of memory and time complexity of 8 N + m2 m [~log 2 (TV )] . 
The data complexity of the online phase is 2 7 7? bits. Let m = 138. Then 
A w 13.6(by e.g. Lemma din the Appendix), N = 2 9400 and 7? = 2 138 - 50 . For 
recovery of the whole n bits of the LFSR initial state, we recover (uj . ■ ■ ■ , u m ) 
and (u m , ■ ■ ■ , U 2 m-i) using above-mentioned methods. Then restore the remain- 
ing 45 bits of the initial LFSR state and 64 initial FSM bits simultaneously 
using exhaustive search. The precomputation phase takes time complexity of 
1287?+ 2(7?log 2 (7?)(320 + [log 2 (7?)D + (N + 7?)( 320 + flog 2 (i2)D) = 2 155 - 47 . 
(The number in the table is 2 147 - 47 regarding 1 time unit as the time needed to 
generate 256 bits of keystream which is not greater than the time cost of one 
trial in the exhaustive search .)The required memory is 27?(320 + [log 2 (7?)]) + 
N(m + 2[log 2 (R)l) = 2 148 ' 34 bits. The online phase has time complexity of 
2(8W+m2 m [log 2 (7V)]) = 2 152 - 66 , memory requirement of 2 m [log 2 (iV)l = 2 144 - 55 
bits, and data complexity of 2 7 R = 2 145 ' 50 bits. The non-detection probability 
is less than -^= f£° dt < 0.01. We mention that the increased complexity 
due to sorting was not considered in pfj . 

Attack without Precomputation. To recover partial bits ttq , • • • , of the initial 

LFSR state, we first get all the coefficients of the R approximation relations 
using the keystreams. Store the (320 + l)-bit values (17*, Wi) (i = 0, • • • , 7? — 1 ) . 
Then sort the list according to the components in {1, • • • , m} — {ij . ■ ■ ■ , i rn }. 
Set the function a as zero. For each pair (i, k ) such that the components of 17* 
and Uk in {1, • • ■ ,m } — {7i , • • ■ , i rn } coincides, compute X^k and update the 
function a using (X;^., Wi + Wk). Perform the fast Walsh transform to a and 
check if there is some («** , ■ • • , u im ) such that W (a) (it,;, , ■ • ■ , u,; m ) > | Ne'. The 
time complexity is about 1287? + i?log 2 (i?)(n + 1) + N(n + 1) + rn2 TO |’log 2 (X)] 
and memory requirement is about |’log 2 (X)]2 m + (320 + 1)7? bits. The data 
complexity is 2 7 T? bits. Let m = 138. For recovery of the whole n bits of the 
LFSR initial state, we recover (u i, • • • , u rn ) and (u rn , ■ ■ ■ , u 2 m-i ) using above- 
mentioned methods. Then restore the remaining 45 bits of the initial LFSR 
state and 64 initial FSM bits simultaneously using exhaustive search. The time 
complexity is 2(1287?+ 7?log 2 (7?)(n+l)+X(n-K)+TO2 m ["log 2 (A0])-|-129-2 129 = 
2 i55.88 The memory requirement is [log 2 (X)]2 m + (320 + 1)7? = 2 147 - 10 bits, 
and the data complexity is 2 7 T? = 2 145 - 50 bits. 

Improving the Attack. We can reduce the data complexity without increasing 
the time complexity. For the Serpent S-box S- 2 , we have 8 linear approximations 
with correlation \ which is of the form 
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X(i) + £(j+i) + (terms involving only y) = 0 . 

Using these approximations, we can get 8 linear approximation relations involv- 
ing the LFSR initial state and keystream words with correlation k. Thus we 
can reduce the data complexity at least by the factor of 2 3 . We can also reduce 
the memory requirement of the attack using the “Improved Hybrid Method” |J| 
without increasing time complexity or data complexity much. 

5 Simulations and Results 

5.1 Simulations for a Reduced Cipher 

We validate our claims by simulating a reduced version of Sosemanuk keystream 
generator defined as follows. It consists of an LFSR of five bytes and an FSM of 
two bytes. The LFSR state at time t is (s{, st+i ; • • • , Sj+s). The LFSR is updated 
using the relation 

St+5 = S t+ 4 ® 3 ® 0S t , 

where /? is a zero of x 8 + x 7 + x 5 + x 3 + 1 in 

GF( 2 8 ) = GF( 2)(/3) = GF( 2)[x\/ < x 8 + x 7 + x 5 + x 3 + 1 > 

The FSM state at time t is denoted by (Rl t ,R2 t ). The FSM is updated as 
follows. 

Rl t = R2 t -i + (st+i ® lsb(i?U_i)s t+ 3 )(mod 2 s ) 

R2 t = Trans(Rl t _i) = ((M x Rl t _i)(mod 2 8 ))<« 3 

where, M = 0x59. The FSM has output 

ft = (st +4 + Rl t ) (mod 2 s ) © R2 t . 

The keystream bytes are obtained as follows. 

(z t +3,z t +2, Z t + 1 , Zt) = Serpentl(ft+3, ft+ 2 , ft+i, ft) ® (s t+ 3 , s t + 2 , s t + 1 , s t ) 

(t = l(mod 4)) 

Then we get a linear approximation relation 

rs t ® F st +2 © rs t+ 3 ffi Pst +5 = rz t ffi rz t+ 3 ( t = l(mod 4)) 
with correlation 


( 1 )wt(r) + i c 3 +(r ) ^ c+(r . * )cr(r; ^ 

& 

when t = l(mod 4), for each 8-bit mask T. In the simulation, we generate 2 30 
bytes of keystream and observe the actual correlation of the linear approximation 
regarding the LFSR states and the keystream bytes for various initial internal 
states. The observed actual correlation is about — 2 -612 when T = [5,0] and 


Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks 


535 


Table 4. Correlations with respect to linear masks of weight 2 


r 

log 2 (|c3+(r)|) log 2 (|U*|) - 

(wt(-T) + 1) correlation 

5,0] 

-1.59 

-1.91 

-3 -2-“'“ 

6,1] 

-10 

-3 

^3 — 2~ iB 

7,2] 

-3.57 -3.36 

—3 _ 2 - aaj 


about — 2 -10 - 31 when r = [7,2] regardless of the initial internal state. Using 
the observed correlation for F = [5,0], we are able to recover the initial internal 
state using the method explained in Sect. 01 The parameters are n = 40, m = 24, 
A = 2.83, N = 2 30 ' 31 and R = 2 23,66 . We get R approximation relations regarding 
the n-bit initial LFSR state and the keystream words. Then we get about N 
approximations regarding the latter m bits of the initial LFSR state. Applying 
the fast Walsh transform to an array with 2 m entries, we can recover the nn bits 
correctly most of the time. We performed the experiments to recover the latter 
24 bits of the initial LFSR state for 100 initial initial internal states as follows. 

- LFSR initial states: (i, i + 1, i + 2,i-f* 3, i + 4) (i = 0, • • • , 99) 

- FSM initial state: (0,0) (fixed) 

With the threshold |A2 _13 - 24 = 206382, we were able to get the right 24-bit 
value in each case except when i = 26. In each case 0-4 false alarms occurred 
with average 1.18. A few minutes was spent on a Pentium IV 3.4GHz CPU with 
1GB RAM for each case. This experimental results corroborate our assertions. 


5.2 Simulations with Long Keystreams for Full Sosemanuk 

To check if the correlation of relations © is correct in another way, we generate 
long keystreams for Sosemanuk for some initial internal states. We consider the 
following 2 LFSR initial states and 8 FSM initial states. 

— LFSR initial states 

• A: (0x9000, 0x8000, ••• , 0x1000, 0x0000) 

• B: (0x9111, 0x8000, ••• , 0x1000, 0x0111) (the same as A except 
for the first and the last word) 

- FSM initial states: (0x0000, 0x0000), ■ • • , (0x7000, 0x7000) 

For each of the 16 initial states, we generate Sosemanuk keystreams of 2 53 bits 
and count how many of the 2 46 induced relations Q are satisfied for the mask 
r = [25,24,14,0] and compute the observed correlation. The results are as in 
Table 01 In the table, “z- value” represents 

(the number of the satisfied among the 2 46 relations) — (2 45 + 2 45 C'(r)) 

222 ’ 

which is the normalized deviation in the assumed normal distribution. In total, 
the observed correlation using the 2 50 relations is — 2 -21 - 45 , which is very close 
to C(r). This result also corroborates our assertions. 
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Table 5. Simulation Result for Long Keystreams 



6 Correlation Attack on SNOW 2.0 

SNOW 2.0[II] consists of an LFSR consisting of 16 words and an FSM of 2 
words. In m, it was shown that there exists a linear approximation relation of 
the LFSR bits and keystream bits with bias 2 -15 - 496 or correlation + 2~ 14,496 jl 41 
Table 2]. One of such approximation relations is 

Ast + Ast+\ + Ast +5 + Ast + 15 + /lst+i 6 = Azt + Azt+i, 

where A = [0,15,16]. Applying the “Second LFSR derivation technique” again 
with parameter n = 512 and e = 2 -15 - 496 , we can mount a correlation attack on 
SNOW 2.0 without precomputation as follows. 

Let m = 192. Using the same notation as in Sect. | A w 16.1, N = 2 66 54 
and R = 2 193 ’ 77 . The time complexity of the attack for recovering m bits is 
32 R + Rlog 2 (R)(n + 1) + N(n + 1) + m2 m [log 2 (A')]. (The factor 32 comes 
from the fact that 32 bits of keystreams are needed per one approximation 
relation.) Memory requirement is about [log 2 (iV)] 2 m + (512 + l)i? bits. The 
data complexity is 2 5 R bits. For recovery of the whole initial LFSR state, recover 
partial 192 bits of LFSR three times and then recover the initial FSM state by 
exhaustive search. The total time complexity is 3(32R+J?log 2 (R)(n+l)+A'(n+ 
1) + m2 m [’log 2 (iV)]) = 2 212 - 38 . The memory complexity is about [log 2 (JV)"|2 m + 
(512 + l)i? = 2 202 ' 83 bits. The data complexity is 2 5 R = 2 198 77 bits. Since the 
initialization of SNOW 2.0 is a reversible process, we can recover the key from 
the initial state. 

7 Conclusion 

We described an attack recovering the initial internal state with time complex- 
ity 2 147 - 88 , memory complexity 2 14710 bits, and data complexity 2 145 ' 50 bits. 
Though the attack does not threaten the claimed 128-bit security of Sosemanuk, 
it indicates that using keys longer than 150 bits for Sosemanuk does not guar- 
antee the security level of the key size. The main reason Sosemanuk is vul- 
nerable to the attack described in this paper is that the LFSR state is too 
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small in the presence of a relatively large correlation between the LFSR state 
and the keystream words. Similar attack of complexity 2 204 ' 38 is valid against 
SNOW 2.0. 
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A An Approximation of the Cumulative Normal 
Distribution Function 

Lemma 1. For any 0 < a < 1, we have 

for any A > 1 such that a < . 

Proof. Let 

F(x) = J e~ ^ dt — —e~^~ (x > 0) . 

Then F'( x) = > 0 and lirn^oo F(x) = 0. Hence F(x) < 0 for all x > 0. 

Let ^ 

G(x) = J e - ^" dt — —e~^ T (x > 0) . 

Then G'(x) = (a — l)e _i! 2" + e ~ so that G'(x) < 0 if a < 

Since lim^oo G(x) = 0, G(x) > 0 when a < ^p-. □ 
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Abstract. In jOj, Biryukov presented a new methodology of stream ci- 
pher design, called leak extraction. The stream cipher LEX, based on this 
methodology and on the AES block cipher, was selected to phase 3 of the 
eSTREAM competition. The suggested methodology seemed promising, 
and LEX, due to its elegance, simplicity and performance was expected 
to be selected to the eSTREAM portfolio. 

In this paper we present a key recovery attack on LEX. The attack 
requires about 2 36 3 bytes of key-stream produced by the same key (pos- 
sibly under many different IVs), and retrieves the secret key in time of 
2 112 simple operations. Following a preliminary version of our attack, 
LEX was discarded from the final portfolio of eSTREAM. 

Keywords: LEX, AES, stream cipher design. 


1 Introduction 

The design of stream ciphers, and more generally, pseudo-random number gen- 
erators (PRNGs), has been a subject of intensive study over the last decades. 
One of the well-known methods to construct a PRNG is to base it on a keyed 
pseudo-random permutation. A provably secure construction of this class is given 
by Goldreich and Levin m- An instantiation of this approach (even though an 
earlier one) is the Blum and Micali mi construction (based on the hardness of 
RSA). A more efficiency-oriented construction is the BMGL stream cipher m 
(based on the Rijndael block cipher). However, these constructions are relatively 
slow, and hence are not used in practical applications. 

* The first author was supported by the Prance Telecome Chaire. Some of the work 
presented in this paper was done while the first author was staying at K.U. Leuven, 
Belgium and supported by the IAP Programme P6/26 BCRYPT of the Belgian State 
(Belgian Science Policy). 

** The second author is supported by the Adams Fellowship Program of the Israel 
Academy of Sciences and Humanities. 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 539- 1556,1 2008. 
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In jSj, Biryukov presented a new methodology for constructing PRNGs of this 
class, called leak extraction. In this methodology, the output key stream of the 
stream cipher is based on parts of the internal state of a block cipher at certain 
rounds (possibly after passing an additional filter function). Of course, in such 
a case, the “leaked” parts of the internal state have to be chosen carefully such 
that the security of the resulted stream cipher will be comparable to the security 
of the original block cipher. 

As an example of the leak extraction methodology, Biryukov presented in jOj 
the stream cipher LEX, in which the underlying block cipher is AES. The key 
stream of LEX is generated by applying AES in the OFB (Output Feedback 
Block) mode of operation and extracting 32 bits of the intermediate state after 
the application of each full AES round. 

LEX was submitted to the eSTREAM competition (see (Zj). Due to its high 
speed (2.5 times faster than AES), fast key initialization phase (a single AES 
encryption), and expected security (based on the security of AES), LEX was 
considered a very promising candidate and selected to the third (and final) phase 
of evaluation. 

During the eSTREAM competition, LEX attracted a great deal of attention 
from cryptanalysts due to its simple structure, but nevertheless, only two attacks 
on the cipher were reported: A slide attack m requiring 2 61 different IVs (each 
producing 20,000 keystream bytes), and a generic attack [T^j requiring 2 65 7 re- 
synchronizations. Both attacks are applicable only against the original version 
of LEX presented in [SJ, but not against the tweaked version submitted to the 
second phase of eSTREAM jHj. In the tweaked version, the number of IVs used 
with a single key is bounded by 2 32 , and hence both attacks require too much 
data and are not applicable to the tweaked version. 

In this paper we present an attack on LEX. The attack requires about 2 36 3 
bytes of key stream produced by the same key, possibly under different IVs. The 
time complexity of the attack is 2 112 simple operations. Following a preliminary 
version of our attack, LEX was discarded from the final portfolio of eSTREAM. 

Our attack is composed of three steps: 

1. Identification of a special state: We focus our attention on pairs of AES 
encryptions whose internal states satisfy a certain difference pattern. While 
the probability of occurrence of the special pattern is 2 -64 , the pattern can 
be observed by a 32-bit condition on the output stream. Thus, the attacker 
repeats the following two steps for about 2 32 cases which satisfy this 32-bit 
condition. 

2. Extracting information on the special state: By using the special dif- 
ference pattern of the pair of intermediate values, and guessing the difference 
in eight more bytes, the attacker can retrieve the actual values of 16 internal 
state bytes in both encryptions. 

3. Guess-and-Determine attack on the remaining unknown bytes: Us- 
ing the additional known byte values, the attacker can mount a guess-and- 
determine attack that retrieves the key using about 2 112 simple operations 
in total. 
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The second and the third steps of the attack use several observations on the 
structure of the AES round function and key schedule algorithm 0 One of them 
is the following, probably novel, observation: 

Proposition 1. Denote the 128-bit subkey used in the r-th round of AES-128 
by k r , and denote the bytes of this subkey by an f-by-4 array {/c r (i, j)}fj =0 . Then 
for every 0 < i < 3 and r, 

k r (i, 1) = k r+2 (i, 1) © SB{k r+l {i + 1,3)) 0 RCON r+2 {i), 

where SB denotes the SubBytes operation, RCON r+2 denotes the round constant 
used in the generation of the subkey k r+2 , and i + 1 is replaced by 0 for i = 3. 

It is possible that the observations on the structure of AES presented in this 
paper can be used not only in attacks on LEX, but also in attacks on AES itself. 

This paper is organized as follows: In Section |21 we briefly describe the struc- 
tures of AES and LEX, and present the observations on AES used in our attack. 
In Section 0 we show that a specific difference pattern in the internal state can 
be partially detected by observing the output stream, and can be used to retrieve 
the actual value of 16 bytes of the internal state (in both encryptions). In Sec- 
tion 0 we leverage the knowledge of these 16 bytes into a complete key recovery 
attack that requires about 2 112 simple operations. We give several additional 
observations that may be useful for further cryptanalysis of LEX in Section 0 
We conclude the paper in Section El 

2 Preliminaries 

In this section we describe the structures of AES and LEX, and present the 
observations on AES used in our attack. 


2.1 Description of AES 

The advanced encryption standard m is an SP-network that supports key sizes 
of 128, 192, and 256 bits. As this paper deals with LEX which is based on AES- 
128, we shall concentrate the description on this variant and refer the reader 
to |221 f° r a complete detailed description of AES. 

A 128-bit plaintext is treated as a byte matrix of size 4x4, where each byte 
represents a value in GF( 2 8 ). An AES round applies four operations to the state 
matrix: 

— SubBytes (SB) — applying the same 8-bit to 8-bit invertible S-box 16 times 
in parallel on each byte of the state, 

1 We note that in E| it was remarked that the relatively simple key schedule of AES 
may affect the security of LEX, and it was suggested to replace the AES subkeys 
by 1280 random bits. Our attack, which relies heavily on properties of the AES 
key schedule, would fail if such replacement was performed. However, some of our 
observations can be used in this case as well. 
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SubBytes 



Fig. 1. An AES round 


- ShiftRows (SR) — cyclic shift of each row (the f tli row is shifted by i bytes 
to the left), 

- MixColumns (MC) — multiplication of each column by a constant 4x4 ma- 
trix over the field GF( 2 8 ), and 

- AddRoundKey (ARK) — XORing the state with a 128-bit subkey. 

We outline an AES round in Figure GJ Throughout the paper we allow ourselves 
the abuse of notation SB(x) to denote the application of the S-box to x (whether 
it is one S-box when x is 8-bit value, or four times when x is 32-bit value). In 
the first round, an additional AddRoundKey operation (using a whitening key) 
is applied, and in the last round the MixColumns operation is omitted. We note 
that in LEX these changes to the first and last round are not applied. 

AES-128, i.e., AES with 128-bit keys, has 10 rounds. For this variant, 11 
subkeys of 128 bits each are derived from the key. The subkey array is denoted 
by W[0, . . . , 43], where each word of W[-] consists of 32 bits. The first four words 
of W[-] are loaded with the user supplied key. The remaining words of W[-] are 
updated according to the following rule: 

- For i = 4, . . . , 43, do 

• If i = 0 mod 4 then W[i\ = W[i - 4] © SB(W[i - 1] <t£ 8) © RCON[i/ 4], 

• Otherwise W[i\ = W[i — 1] © W[i — 4], 

where RCON[ ] is an array of predetermined constants, and denotes rotation 
of the word by 8 bits to the left. 

2.2 Description of LEX 

For the ease of description, we describe only the tweaked version of LEX sub- 
mitted to the second phase of eSTREAM jH] . The original version of LEX can 
be found in [0J . We note that our attacks can be easily adopted to the original 
version as well. 

In the initialization step, the publicly known IV is encrypted by AE£0 under 
the secret key K to get S = AESk{IV). Then, S is repeatedly encrypted in the 

2 Actually, LEX uses a tweaked version of AES where the AddRoundKey before the 
first round is omitted, and the MixColumns operation of the last round is present. 
We allow ourselves the slight abuse of notations, for sake of clarity. 


A New Attack on the LEX Stream Cipher 


543 



The gray bytes are the output bytes. 


Fig. 2. Odd and Even Rounds of LEX 


OFB mode of operation under K, where during the execution of each encryption, 
32 bits of the internal state are leaked each round. These state bits compose the 
key stream of LEX. The state bytes used in the key stream are shown in FigureEl 
After 500 encryptions, another IV is chosen, and the process is repeated. After 
2 32 different IVs, the secret key is replaced]! 


2.3 Notations Used in the Paper 

As in jH] , the bytes of each internal state during AES encryption, as well as the 
bytes of the subkeys, are denoted by a 4-by-4 array {bi,j}i,f =0 where bij is the 
j-tli byte in the i-th row. For example, the output bytes in the even rounds are 
bo, 1, bo, 3, b2,l, &2,3- 

2.4 Observations on AES Used in Our Attack 

Throughout the paper we use several observations concerning AES. 

Observation 1 . For every non-zero input difference to the SubBytes operation, 
there are 126 possible output differences with probability 2 -7 each (i.e., only a 
single input pair with the given difference leads to the specified output difference), 
and a single output difference with probability 2 -6 . 

As a result, for a randomly chosen pair of input/output differences of the Sub- 
Bytes operation, with probability 126/256 there is exactly one unordered pair 
of values satisfying these differences. With probability 1/256 there are two such 
pairs, and with probability 129/256, there are no such pairs. 

We note that while each ordered pair of input/output differences suggests 
one pair of actual values on average, it actually never suggests exactly one pair. 
In about half of the cases, two (or more) ordered pairs are suggested, and in 
the rest of the cases, no pairs are suggested. In the cases where two (or more) 
pairs are suggested, the analysis has to be repeated for each of the pairs. On 
the other hand, if no pairs are suggested, then the input/output differences pair 
is discarded as a wrong pair and the analysis is not performed at all. Hence, 

3 We note that in the original version of LEX, the number of different IVs used with a 
single key was not bounded. Following the slide attack presented in ca. the number 
of IVs used with each key was restricted. This restriction also prevents the attack 
suggested later in El which requires 2 65 ’ 7 re-synchronizations. 
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when factoring both events, it is reasonable to assume that each input /output 
differences pair suggests one pair of actual values. 

Our attack uses this observation in situations where the attacker knows the 
input and output differences to some SubBytes operation. In such cases, using 
the observation she can deduce the actual values of the input and the output 
(for both encryptions). This can be done efficiently by preparing the difference 
distribution table jlj of the SubBytes operation, along with the actual values 
of the input pairs satisfying each input /output difference relation (rather than 
only the number of such pairs). In the actual attack, given the input and output 
differences of the SubBytes operation, the attacker can retrieve the corresponding 
actual values using a simple table lookup. 

Observation 2. Since the MixColumns operation is linear and invertible, if the 
values (or the differences) in any four out of its eight input/output bytes are 
known, then the values (or the differences, respectively) in the other four bytes 
are uniquely determined, and can be computed efficiently. 

The following two observations are concerned with the key schedule of AES. 
While the first of them is known (see [IB1), it appears that the second was not 
published before. 

Observation 3. For each 0 < i < 3, the subkeys of AES satisfy the relations: 
k r+2 (i,0) © k r+2 (i, 2) = k r (i, 2). 
k r+2 (i,l) ® k r+2 (i,3) =k r (i, 3). 

Proof. Recall that by the key schedule, for all 0 < i < 3 and for all 0 < j < 2, 
we have k r+2 (i,j) © k r + 2 (i,j + 1) = fc r +i(* + 1, j + 1). Hence, 

k r + 2 (i, 0) ffi k r + 2 (i, 2) = (k r + 2 (i, 0) © k r + 2 (i, 1)) ffi (k r + 2 (i, 1) © k r + 2 (i, 2)) = 
k r+ i(i, 1) © k r+ i(i, 2) = k r (i, 2), 
and the second claim follows similarly. 

Observation 4. For each 0 < i < 3, the subkeys of AES satisfy the relation: 
k r+2 (i, 1) ffi SB(k r+1 ((i + 1) mod 4,3)) ffi RCON r+2 (i) = k r (i, 1), 

Proof. In addition to the relation used in the proof of the previous observation, 
we use the relation 

k r+2 (i, 0) = k r+ i(i,Q) ffi SB(k r +i((i+ 1) mod 4, 3)) ffi RCON r+2 (i). 

Thus, 

k r+2 (i, 1) ffi SB(k r+1 ((i + 1) mod 4, 3)) ffi RCON r+2 (i ) = 

(k r+2 {i, 1) ffi k r+2 {i, 0)) ffi (k r+2 (i, 0) ffi SB(k r+1 ((i + 1) mod 4, 3)) 
®RCON r+2 (i)) = kr+i{i, 1) ffi k r+ i(i,0) = k r (i, 1). 

These two observations allow the attacker to use the knowledge of bytes of 
k r . |_2 (and the last column of k r+ 1 ) to get the knowledge of bytes in k r , while 
“skipping” (some of) the values of k r+ \. 
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In gray we mark bytes whose value is known from the output key stream. 


Fig. 3. The Special Difference Pattern (for Odd Rounds) 

3 Observable Difference Pattern in LEX 

Our attack is applicable when the special difference pattern starts either in odd 
rounds or in even rounds. For sake of simplicity of the description, we present 
the results assuming the difference pattern occurs in the odd rounds, and give 
in Appendix 0 the modified attack applicable when the difference pattern is 
observed in even rounds. 

3.1 Detecting the Difference Pattern 

Consider two AES encryptions under the same secret key, K. The special dif- 
ference pattern corresponds to the following event: The difference between the 
intermediate values at the end of the (r + l)-th round is non-zero only in bytes 
fro,0! fro, 2, £>i,i, &i, 3 j ^ 2,0) 62,2, 63,1 , and 63.3. The probability of this event is 2 -64 . 
The pattern, along with the evolution of the differences in rounds r, r + 1, r + 2, 
and r + 3, is presented in Figure 0 

The difference pattern can be partially observed by a 32-bit condition on 
the output key stream: If the pattern holds, then all the four output bytes in 
round r + 2 (bytes 60,1 > &o,3, 62,1 , &2, 3) have zero difference. 

Therefore, it is expected that amongst 2 64 pairs of AES encryptions under the 
same key, one of the pairs satisfies the difference pattern, and about 2 32 pairs 
satisfy the filtering condition. Thus, the following steps of the attack have to be 
repeated 2 32 times on average (once for each candidate pair). 

We note that if the special difference pattern is satisfied, then by the linearity 
of the MixColumns operation, there are only 255 2 possible values for the differ- 
ence in each of the columns before the MixColumns operation of round r + 1 
(denoted by /3-s and e-s in Figure 01 , and in each of the columns after the Mix- 
Columns operation of round r + 2 (denoted by t-s in Figure EJl. This property 
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is used in the second step of the attack to retrieve the actual values of several 
state bytes. 

3.2 Using the Difference Pattern to Retrieve Actual Values of 16 
Intermediate State Bytes 

In this section we show how the attacker can use the special difference pattern, 
along with a guess of the difference in eight additional bytes, in order to recover 
the actual values of 16 intermediate state bytes in both encryptions. We show 
in detail how the attacker can retrieve the actual value of byte &o,o of the state 
in the end of round r. The derivation of additional 15 bytes, which is performed 
in a similar way, is described briefly. 

The derivation of the actual value of byte &o,o of the state at the end of round 
r is composed of several steps (described also in Figure EJ): 

1 . The attacker guesses the differences v \ , 227 and applies the following steps for 
each such guess. 

2. The attacker finds the difference in Column 0 before the MixColumns op- 
eration of round r + 1, i.e., ( 9 q. 02 - fh)- This is possible since the at- 

tacker knows the difference in Column 0 at the end of round r + 1 (which 
is (ao, 0, ct!2, 0) where cto and a 2 are known from the key stream), and since 
the AddRoundKey and the MixColumns operations are linear. By perform- 
ing the inverse ShiftRows operation, the attacker can compute the output 
difference in byte 60,0 after the SubBytes operation of round r + 1. 

3. Given the differences u\ and 227, there are 255 2 possible differences after 
the MixColumns of round r in the leftmost column. Using the output bytes 
bo,o- b'2,2 of round r — 1, the attacker knows the difference in two bytes of 
the same column before the MixColumns operation. Hence, using Observa- 
tion 2 (the linearity of the MixColumns operation), the attacker retrieves 
the difference in the whole column, both before and after the MixColumns 
operation, including the difference 70. 

4. At this point, the attacker knows the input difference (70) and the output 
difference (/?o) to the SubBytes operation in byte 60,0 of round r + 1. Hence, 
using Observation 1 (the property of the SubBytes operation), the attacker 
finds the actual values of this byte using a single table look-up. In particular, 
the attacker retrieves the actual value of byte &o,o at the end of round r. 

The additional 15 bytes are retrieved in the following way: 

1. The value of byte 62,2 at the end of round r is obtained in the same way 
using bytes 60,2, &2,o of the output of round r — 1 (instead of bytes bo.o, 62,2) 
and examining the third column (instead of the first one). 

2. The value of bytes 60,2 and 62,0 at the end of round r is found by examining 
04, ae (instead of Qq. 02), guessing the differences 223,125 (instead of 221,227), 
and repeating the process used in the derivation of bytes 60, o ; &2,2- 

3. In a similar way, by guessing the differences xi, X3, X5, X7 and using the 
output bytes of round r + 3, the attacker can retrieve the actual values of 
bytes 60,0, 60,2, &2,o and 62,2 in the output of round r + 2. 
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Fig. 4. Deducing the actual value of &o,o in the end of round r 

4 . Using the output of round r and Observation 2 , the attacker can obtain the 
differences oq, a^, a^, aq. Then, she can use the guessed differences x% , a; 3, 
x§,x^ and Observation 1 to obtain the actual values of bytes 61,1,61,3,63,1 
and 63,3 at the end of round r + 1. 

5 . Finally, using again the output of round r and Observation 2 , the attacker 
can obtain the differences £1,63, £5,67. Then, using the guessed differences 
v% , iAj , z/5 , 1/7 and Observation 1 , the attacker can obtain the actual values of 
bytes 61,0,61,2,63,0, and 63,2 at the end of round r. 

The bytes whose actual values are known to the attacker at this stage are 
presented in Figure 0 marked in gray. 

4 Retrieving the Key in the Special Cases 

The last step of the attack is a guess-and-determine procedure. Given the actual 
values of the 16 additional state bytes obtained in the second step of the attack, 
the entire key can be recovered using Observations 2 and 3 (properties of the 
MixColumns operation and of the key schedule algorithm of AES- 128 ). 

The deduction is composed of two phases. In the first phase, presented in 
Figure 0 no additional information is guessed. We outline in Appendix 01 the 
exact steps of the deduction. At the beginning of the second phase, presented 
in Figure 0 the attacker guesses the value of two additional subkey bytes. We 
outline in Appendix [0 the exact steps the attacker performs after guessing these 
two bytes. In both figures we use gray bytes to mark bytes which are known at 
the beginning of that deduction phase. Then, if a byte contains a number i it 
means that this byte is computed in the i-th step of the deduction sequence. 

Summarizing the attack, the attacker guesses 10 bytes of information (8 bytes 
of differences guessed in the second step of the attack, and 2 subkey bytes guessed 
in the third step of the attack), and retrieves the full secret key. Since all the 
operations used in the attack are elementary, the attack requires 2 80 simple 
operations for each time the attack procedure is applied. Thus, as the attack 
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Gray boxes are bytes which are known. 

Bytes marked with i, are bytes which are computed in step i. 

Transition 9 is based on Observation 3. 

Fig. 5. The First Phase of the Guess-and-Determine Attack on LEX (for Odd Rounds) 

procedure is repeated 2 32 times, the total running time of the attack is 2 112 
operations. Since the most time-consuming step of the attack is a guess-and- 
determine procedure, it is very easy to parallelize the attack, and obtain a speed 
up equivalent to the number of used CPUs. 

4.1 Data Complexity of the Attack 

The attack is based on examining special difference patterns. Since the probabil- 
ity of occurrence of a special pattern is 2 -64 , it is expected that 2 32 5 encryptions 
under the same key (possibly with different IVs) yield a single pair of encryptions 
satisfying the special pattern. 

However, we note that the attack can be applied for several values of the 
starting round of the difference pattern. The attack presented above is applicable 
if r is equal to 1, 3, 5, or 7, and a slightly modified version of the attack (presented 
in AppendixEJ is applicable if r is equal to 0, 2, 4, or 60 Hence, 2 64 /8 = 2 61 pairs 
of encryptions are sufficient to supply a pair satisfying one of the eight possible 
difference patterns. These 2 61 pairs can be obtained from 2 31 AES encryptions, 
or equivalently, 2 36 3 bytes of output key stream generated by the same key, 
possibly under different IYs. 

4 We note that while the attack considers five rounds of the encryption (rounds r — 1 
to r + 3), it is not necessary that all the five rounds are contained in a single AES 
encryption. For example, if r = 7 then round r+3 considered in our attack is actually 
round 0 of the next encryption. The only part of the attack which requires the rounds 
to be consecutive rounds of the same encryption is the key schedule considerations. 
However, in these considerations only three rounds (rounds r to r + 2) are examined. 
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Gray boxes are bytes which are known. 

Black boxes are the two bytes guessed in this phase. 

Bytes marked with i, are bytes which are computed in step i of the second phase. 

Fig. 6. The Second Phase of the Guess-and-Determine Attack on LEX (for Odd 
Rounds) 


5 Further Observations on LEX 

In this section we present several observations on the structure of LEX that may 
be helpful in further cryptanalysis of the cipher. 


5.1 Sampling Resistance of LEX 

One of the main advantages of LEX, according to the designers (see jH] , Section 
1), is the small size of its internal state allowing for a very fast key initialization 
(a single AES encryption). It is stated that the size of the internal state (256 bits) 
is the minimal size assuring resistance to time-memory-data tradeoff attacks. 

Time-memory-data tradeoff (TMDTO) attacks j219il OI2(1j are considered a 
serious security threat to stream ciphers, and resistance to this class of attacks 
is a mandatory in the design of stream ciphers (see, for example, j l til ) . A cipher 
with an n-bit key is considered (certificationally) secure against TMDTO attacks 
if any TMDTO attack on the cipher has either data, memory, or time complexity 
of at least 2". 

In order to ensure security against conventional TMDTO attacks trying to 
invert the function (State — > Key Stream), it is sufficient that the size of the 
internal state is at least twice the size of the key m- LEX satisfies this criterion 
(the key size is 128 bits and the size of the internal state is 256 bits). As a result, 
as claimed by the designers (see j0|, Sections 3.2 and 5), the cipher is secure with 
respect to TMDTO attacks. 


550 


O. Dunkelman and N. Keller 


However, as observed in £Q, having the size of the internal state exactly twice 
larger than the key length is not sufficient if the cipher has a low sampling 
resistance. Roughly speaking, a cipher has a sampling resistance of 2~*, if it is 
possible to list all internal states which lead to some f-bit output string efficiently. 
In other words, if it is possible to find a (possibly special) string of t bits, whose 
“predecessor” states are easily computed, then the cipher has sampling resistance 
of at most 2 _t . 

It is easy to see that LEX has maximal sampling resistance of 2 -32 , as out of 
the 256 bits of internal state, 32 bits are output directly every round. As a result, 
using the attack algorithm presented in m, it is possible to mount a TMDTO 
attack on LEX with data complexity 2 88 , and time and memory complexities 
of 2 112 . Hence, LEX provides only 112-bit security with respect to TMDTO 
attacks. 

5.2 Loss of Entropy in the Initialization of LEX 

The first step in the initialization of LEX is the encryption of TV by AES under 
the secret key K. When considering AESk(IV ) as a function of K, one can 
easily see that under reasonable randomness assumptions on AES, this function 
is a random function of the key K. As a result, the first internal state S used in 
LEX, does not contain 128 bits of entropy, even when the IV has full entropy. 
Actually, the expected number of possible 5’’s for a given IV is about 63% of all 
possible values, i.e., about 2 127 ' 3 possible S’ s. 

Even though our attack does not use this observation, it might still be used in 
attacks which rely on entropy. Especially, the variant of Pi of time-memory-data 
tradeoff attacks (trying to invert the function (key, IV) — > keystream ) might 
use this observation by trying to invert the function (key, S) — » keystream. 

5.3 Analysis of the Submitted Reference Implementation of the 
Original (Untweaked) Version of LEX 

After communicating a preliminary version of our attack, we received a request to 
discuss the implementation of the original (untweaked) version of LEX submitted 
to eSTREAM. According to a claim made in P| and verified later by us, the 
submitted code of the untweaked LEX outputs different bytes than intended 
and specified (specifically, in the even rounds, 51,1,61,3,63,1 and 63,3 are given 
as the key stream). Of course, this seems like an unintended typo made in the 
submission pack (as the fact that it was corrected in the tweaked submission 
of LEX). 

It appears that this variant is much weaker than the intended cipher: First, 
given the difference in the key stream corresponding to an even round of AES 
and the consecutive odd round, the difference in two full columns (i.e., four 
additional internal bytes) can be found easily, without any assumption on the 
difference between the states. Second, it is possible to devise a simple meet-in- 
the-middle attack which uses only 256 bits of output stream and retrieves the 
secret key using 2 112 simple operations. 
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The difference between the security of the intended version and that of the 
actual implementation emphasizes the importance of verifying the implemen- 
tations of cryptographic primitives very carefully. This importance was first 
observed in [T2j with respect to public key encryption, and adopted in j^j to 
the symmetric key scenario. While differential fault analysis assumes that the 
attacker can access both a faulty implementation and a regular implementa- 
tion, our observations are valid when the attacker has to attack only the faulty 
implementation. 

6 Summary and Conclusions 

In this paper we presented a new attack on the LEX stream cipher. We showed 
that there are special difference patterns that can be easily observed in the 
output key stream, and that these patterns can be used to mount a key recovery 
attack. 

The attack uses a total of 2 36 3 bytes of key stream produced by a single key 
(possibly under different IVs) and takes 2 112 simple operations to implement. 

Our results show that for constructions based on the Goldreich-Levin ap- 
proach (i.e., PRNGs based on pseudo-random permutations), the pseudo- 
randomness of the underlying permutation is crucial to the security of the 
resulting stream cipher. In particular, a small number of rounds of a (possi- 
bly strong) block cipher cannot be considered random in this sense, at least 
when a non-negligible part of the internal state is extracted. 
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A Special Difference Pattern Starting with an Even 
Round 

In this section we present the modified version of the attack that can be applied 
if the special difference pattern occurs in the even rounds. The first two steps of 
the attack (observing the difference pattern and deducing the actual values of 
16 additional bytes of the state) are similar to the first two steps of the attack 
presented in Section E3 The known byte values after these steps are presented 
in Figure Q marked in gray. The third step of the attack is slightly different 
due to the asymmetry of the key schedule, and Observation 4 is used in this 
step along with Observations 2 and 3. The two phases of this step are presented in 
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Gray boxes are bytes which are known. 

Bytes marked with i, are bytes which are computed in step i. 

Step 5 is based on Observation 3, and step 11 is based on Observation 4. 

Fig. 7. The First Phase of the Guess-and-Determine Attack on LEX (in Even Rounds) 

Figures 0 and |B1 The overall time complexity of the attack is 2 112 operations, 
like in the case of a difference pattern in the odd rounds. 

B Detailed Description of the Steps in the First 
Deduction Phase 

In this section we present the exact deduction steps done during the first phase 
depicted in Figure El The numbers of the steps correspond to the numbers in 
the figure. 

1. The application of MixColumns in round r + 1 on two columns (second and 
fourth) gives these bytes. 

2. The application of MixColumns in round r + 2 on two columns (first and 
third) gives these bytes. 

3. The knowledge of the value of four bytes before the XOR with the subkey 
k r+ 1 and after the XOR, gives the value of the subkey in these bytes. 

4. The knowledge of the value of four bytes before the XOR with the subkey 
k r+ 2 and after the XOR, gives the value of the subkey in these bytes. 

5. By the key schedule of AES, the knowledge of byte (0,0) of the subkey k r+ 2 
and byte (1,3) of the subkey k r+ 1 gives the value of byte (0,0) of the subkey 
k r+ i . Similarly, the knowledge of byte (2,0) of the subkey k r+ 2 and byte 
(3,3) of the subkey k r+ 1 gives the value of byte (2,0) of the subkey k r+ \. 

6. These two bytes are the XOR of the two subkey bytes found in the previous 
step and known bytes. 
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Gray boxes are bytes which are known. 

Black boxes are the two bytes guessed in this phase. 

Bytes marked with i, are bytes which are computed in step i of the second phase. 

Fig. 8. The Second Phase of the Guess-and-Determine Attack on LEX (in Even 
Rounds) 


7. Applying Observation 2 to the first column in the MixColumns operation of 
round r + 1 gives these four bytes. 

8. The two bytes after the SubBytes and ShiftRows operation are just computed 
backwards. 

9. These bytes are computed using the four bytes found in Step 4, and the 
application of Observation 3. 

10. These bytes are computed by XORing the subkey bytes found in the previous 
step with known values. 

11. Applying Observation 2 to the third column in the MixColumns operation 
of round r gives these four bytes. 

12. The input and output of the AddRoundKey operation of round k r in these 
two bytes is known, and allows retrieving these two subkey bytes. 

13. By the key schedule of AES, the knowledge of bytes (1,1) and (3,1) of the 
subkey k r+ 1 and bytes (1,2) and (3,2) of the subkey k r gives the values of 
bytes (1,2) and (3,2) of the subkey k r+ 1 , respectively. 

14. By the key schedule of AES, the knowledge of bytes (1,2) and (3,2) of the 
subkey k r and bytes (1,3) and (3,3) of the subkey k r+ \ gives the values of 
bytes (1,3) and (3,3) of the subkey k r , respectively. 

15. By the key schedule of AES, the knowledge of byte (0,0) of the subkey k r+ \ 
and byte (1,3) of the subkey k r gives the value of byte (0,0) of the subkey 
k r . Similarly, the knowledge of byte (2,0) of the subkey Ay+i and byte (3,3) 
of the subkey k r gives the value of byte (2,0) of the subkey k r . 

16. These bytes are computed by XORing the subkey bytes found in the previous 
step with known values. 
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17. Applying Observation 2 to the first column in the MixColumns operation of 
round r gives these four bytes. 

18. These bytes are the XOR of the bytes found in the previous step with known 
bytes. 

19. This byte is the XOR of one of the bytes found in Step 14 and a byte found 
in Step 8. 

C Detailed Description of the Steps in the Second 
Deduction Phase 

In this section we present the exact deduction steps performed during the second 

phase depicted in Figure® The numbers of the steps correspond to the numbers 

in the figure. 

1. Using the key schedule algorithm, it is possible to deduce four bytes of k r+ 1 
(each is the XOR of two known bytes in fc r + 2 )- 

2. Decrypting two known bytes using two of the subkey words found in Step 1 
gives these two bytes. 

3. Applying Observation 2 to the third column in the MixColumns operation 
of round r + 1. 

4. These four bytes are computed by the XOR of known state bytes and subkey 
bytes (in k r+ 1 ). 

5. These four bytes are the application of the SubBytes and ShiftRows opera- 
tions on the bytes found in the previous step. 

6. These bytes are the XOR of known bytes and the subkey bytes that were 
guessed. 

7. Applying Observation 2 to the second column in the MixColumns operation 
of round r + 2 gives these four bytes. 

8. These two bytes are found by applying the inverse ShiftRows and SubBytes 
operations to two of the bytes found in the previous step. 

9. These two subkey bytes are computed as the XOR of the corresponding bytes 
before and after the AddRoundKey operation of round r + 1. 

10. By the key schedule of AES, the knowledge of byte (3,0) of the subkey k r+ 1 
and byte (3,0) of the subkey k r gives the value of byte (2,3) of the subkey 
k r . 

11. By the key schedule of AES, the knowledge of bytes (1,0) and (2,3) of the 
subkey k r+ i gives the value of byte (1,0) of the subkey k r+i . 

12. This byte is the XOR of a known state byte with the subkey byte found in 
the previous step. 

13. This byte is computed by applying the SubBytes and ShiftRows operations 
to the byte found in the previous step. 

14. By the key schedule of AES, the knowledge of byte (2,2) of the subkey k r+ 2 
and byte (2,3) of the subkey k r+ 1 gives the value of byte (2,3) of the subkey 
k r + 2 - 

15. This byte is the XOR of a known state byte with the subkey byte found in 
the previous step. 
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16. This byte is the partial decryption of a known byte by the byte found in the 
previous step. 

17. Applying Observation 2 to the fourth column in the MixColumns operation 
of round r + 2 gives these four bytes. 

18. This byte is found by applying the inverse ShiftRows and SubBytes opera- 
tions to one of the bytes found in the previous step. 

19. This byte is the partial decryption of a known byte by the byte found in the 
previous step. 
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Abstract. The F-FCSR stream cipher family has been presented a few 
years ago. Apart from some flaws in the initial propositions, corrected 
in a later stage, there are no known weaknesses of the core of these 
algorithms. The hardware oriented version, called FCSR-H, is one of the 
ciphers selected for the eSTREAM portfolio. 

In this paper we present a new and severe cryptanalytic attack on the 
F-FCSR stream cipher family. We give the details of the attack when 
applied on F-FCSR-H. The attack requires a few Mbytes of received 
sequence and the complexity is low enough to allow the attack to be 
performed on a single PC within seconds. 

1 Introduction 

The cryptographic scene include a variety of efficient and trusted block ciphers. 
However the same does not seem to hold for stream ciphers. The stream ciphers 
that have received attention through use in various standards tend to have more 
or less serious security weaknesses. Examples are A5 algorithms used in GSM, 
the RC4 algorithm used in for example WLAN applications through the WEP 
protocol and the E0 stream cipher used in Bluetooth. 

Based on a belief that a dedicated stream cipher still has a capability of 
significantly outperforming a block cipher, the eSTREAM project was launched 
in 2004. The goal of this project was to solicit and evaluate submitted proposals 
of stream ciphers for future standardization. The main evaluation criteria set 
up were long-term security, efficiency in terms of performance, flexibility and 
market requirements. 

The eSTREAM project considered two different profiles, one targeting soft- 
ware implemented stream ciphers; and one for hardware implemented stream 
ciphers (in particular constrained devices). The hardware category received a 
total of 25 submitted proposals. After three phases of evaluation, the final eS- 
TREAM portfolio recommended four of them. One of them is a design called 
F-FCSR-H v2. 

F-FCSR-H v2 is one of several algorithms in the F-FCSR family of stream 
ciphers designed by the French researchers F. Arnault, T.P. Berger, and C. Lau- 
radoux. The family of ciphers is based on feedback with carry shift registers 
(FCSR) together with a filtering function. The idea of using FCSRs to gener- 
ate sequences for cryptographic applications was initially proposed by Klapper 

J. Pieprzyk (Ed.): ASIACRYPT 2008, LNCS 5350, pp. 557 |569,| 2008. 
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and Goresky in 0. The F-FCSR family was introduced in 0, proposing four 
concrete constructions. These proposals were cryptanalyzed in 0. The initial 
version submitted to eSTREAM, targeting hardware, was called F-FCSR-H. It 
was shown in 0 that this construction also had security problems. This lead to 
a change in the initialization procedure and the resulting algorithm was named 
F-FCSR-H v2. This paper will focus on the specification of F-FCSR-H v2 given 
in0. 

The eSTREAM class of hardware stream ciphers (and F-FCSR-H v2 in par- 
ticular) prescribes a key of length 80 bits. Apart from the initial flaws (on the 
IV-setup procedure, and a TMD tradeoff attack), there are yet no known weak- 
nesses of the core of these algorithms and the best attack on F-FCSR-H v2 is an 
exhaustive key search. 

In this paper we present a new and severe cryptanalytic attack on the F-FCSR 
stream cipher family. We give the details of the attack when applied on F-FCSR- 
H v2. The attack is based on observing that the contribution of nonlinearity 
comes from the carry bits and that sometimes this contribution is too low and 
the system can be linearized. The whole attack require a few Mbytes of received 
sequence and the complexity is low enough to allow the attack to be performed 
on a single PC within seconds. The attack has been fully implemented using the 
designers’ reference implementation. 

In Section 2 we give an overview of the FCSR automaton and the F-FCSR 
construction. In Section 3 we then discuss the underlying weaknesses giving the 
attack. In Section 4 we give a description of the attack and in Section 5 we give 
a more detailed analysis of parts of the attack and we also give the estimated 
and simulated complexities. In Section 6 we give a rough outline of how the key 
could be reconstructed from a known state. 

2 Recalling the FCSR Automaton and the F-FCSR 
Construction 

Recall that a Feedback with Carry Shift Register (FCSR) is a device that com- 
putes the binary expansion of a 2-adic number p/q , where p and q are some 
integers, with q odd. For simplicity one can assume that q < 0 < p < \q\. Follow- 
ing the notation from 0, the size n of the FCSR is the value such that n + 1 is 
the bitlength of |g|. In the stream cipher construction, p depends on the secret 
key (and the IV), and q is a public parameter. The choice of q induces some prop- 
erties of the FCSR. The most important one is that it completely determines the 
length of the period T of the keystream. The conditions for an optimal choice 
as used in the F-FCSR family of stream ciphers are: q is a (negative) prime of 
bitsize n+ 1; the order of 2 modulo q is \q\ — 1; and T = (|g| — l)/2 is also prime. 
Furthermore, set d = (1 + g|) /2. Then the Hamming weight W(d) of the binary 
expansion of d is checked to be not too small, say W(d) > n/2. 

The FCSR automaton as described in 0 is one way to efficiently implement 
the generation of the 2-adic expansion sequence. It contains two registers: the 
main register M and the carries register C. The main register M contains n 
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Fig. 1. Automaton to compute the 2-adic expansion of p/q 


cells. Let M = (m n _i,m n _ 2 , ■ • ■ , mi, too) and associate M to the integer M = 

r&rnt-X. 

Recall the positive integer d = (1 + r/|)/2 and its binary representation d = 
Yl'iZo di-2\ The carries register contains l active cells where l + 1 is the number 
of nonzero di binary digits in d. The active cells are the ones in the interval 0 < 
i <n— 2 and d n -\ = 1 always hold. For this purpose we write the carries register 
C as C = (c„_ 2 , c„_ 3 , . . . , ci, Co) and associate C to the integer C = °i ’ 2b 

Note that only l of the bits in C are active and the remaining ones are set to 
zero. Let the integer p be written as p = Y!i=o Pi ' 2\ where Pi € {0, 1}. Then 
the 2-adic expansion of the number p/q is computed by the automaton given in 
Figure □ 

The automaton is referred to as the Galois representation and it is very similar 
to the Galois representation of a usual LFSR. Other representations in connec- 
tion with F-FCSR were considered in (ZJ . For all defined variables we also intro- 
duce a time index t, and let M(f) denote the content of M at time t. Similarly, 
C (t) denotes the content of C at time t. 

The addition with carry, denoted EH in Figure [fl has a one bit memory (the 
carry). It takes three inputs in total, two external inputs and the carry bit. It 
outputs the XOR of the inputs and it sets the new carry value to one if the 
integer sum of the three inputs is two or three. 

In Figure |2| we give an illustrating example (following j2J). Here q = —347 giv- 
ing d = 174 and its binary expansion (10101110). The F-FCSR family of stream 
ciphers uses this particular automaton as the central part of their construc- 
tion. So for future considerations in this paper we only need to recall the FCSR 



Fig. 2. Example of an FCSR 


560 


M. Hell and T. Johansson 


automaton as implemented in Figure Q] and Figure El Important facts are that 
the FCSR automaton has n bits of memory in the main register and 1, bits in 
the carry register, in total n + l bits. If (M, C) is our state, then many states are 
equivalent in the sense that starting in equivalent states will produce the same 
output. As the period is \q\ — 1 ~ 2" the number of states equivalent to a given 
state is in the order of 2 l . 

2.1 Describing the F-FCSR-H Construction 

The F-FCSR family of stream ciphers combines the FCSR automaton with a 
filtering function. The filtering function extracts keystream bits from the state of 
the main register in the FCSR automaton. The filter is a simple linear function 
of bits from the state. In order to increase the throughput, the constructions 
extract not only one but many bits each clock cycle. The number of extracted 
bits is eight for F-FCSR-H. Thus there are 8 different filters, now called subfilters, 
used to extract an 8 bits keystream byte after each transition of the automaton. 

A one bit filter F is a bitstring (/o, . . . , f n -i) of length n. The output bit of 
the filter is defined to be, 

F(M) = 0/,m i , 

i=0 

i.e., the scalar product. As F is a known string the output is a linear function 
(in F 2 ). 

For the 8 bit filter, it consists of 8 such binary functions Fq, Fi, . . . , F-j. How- 
ever, filter Fj uses only cells m,; in the main register that satisfies i = j (mod 8). 

The parameters for F-FCSR-H are now given. The proposal uses key length 
80 and IV of bitsize v with 32 < v < 80. The core of the F-FCSR-H algorithm 
has remained identical to the one originally proposed in [Q. Only the key and 
IV initialization procedure was updated in j2[ . 

The FCSR length (size of the main register) is n = 160. The carries register 
contains l = 82 cells. The feedback is determined by the prime 

q = 1993524591318275015328041611344215036460140087963. 

This gives 

d = (1 + \q\)/2 = (AE985DFF 26619FC5 8623DC8A AF46D590 3DD4254E) 

(hexadecimal notation). So addition boxes and carries cells are present at the 
positions matching the binary ones in the binary expansion of d. To extract one 
keystream byte, FCSR-H uses the static filter 

F = d = (AE985DFF26619FC58623DC8AAF46D5903DD4254E). 

Using the designers notation, this means that the 8 subfilters (subfilter j is 
obtained by selecting the bit j in each byte of F) are given by 
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F 0 = (00110111010010101010), F 4 = (01110010001000111100), 

Fi = (10011010110111000001), F 5 = (10011100010010001010), 

F 2 = (10111011101011101111), F 6 = (00110101001001100101), 

F 3 = (11110010001110001001), F 7 = (11010011101110110100). 

So the F-FCSR-H generator outputs one byte every time instance and it is simply 
given as 


Z = (mg + 777.24 + 777 4 o + 77756 + • • • + 777136, 777i + 77749 + •••,•••, 77723 + •••)• 

The key and IV initialization consists of loading key and IV into the main 
register, clocking 20 times and extracting 20 bytes of output. These 160 bits are 
used as initial state in the main register of the FCSR automaton and it is clocked 
162 times without producing output. More details are given in Section 6. 

The second relevant construction in the F-FCSR family, called F-FCSR-16, is 
constructed in a similar manner. However it has a larger state and extracts 16 
bits every clock cycle. 

3 Weaknesses of the FCSR Automaton and the F-FCSR 
Family of Stream Ciphers 

As the filtering function is F 2 linear, essentially all the security of the FCSR con- 
structions rely on the FCSR automaton ability to create nonlinearity. It might 
at first glance look like this is achieved. The nonlinearity lies in the carry bit 
calculation, and carry bits are quickly spread over the entire main register. They 
enter new carry bit calculations, thus increasing the degree of nonlinear expres- 
sions rapidly. This is probably the first way one tries to analyze the construction, 
looking at the algebraic expressions created when the automaton is clocked a few 
times. It looks difficult to find some useful algebraic expression or some correla- 
tion between different variables that can be tracked all the way to the keystream 
symbols. 

Instead, we look at the nonlinearity from a different perspective. The main 
observation we use is the fact that the carry bits in the carries register behave 
very far from random. The key point is that they all have one common input 
variable, the feedback bit. Let us look at what happens for a carry bit when the 
feedback bit is set to zero. We can see that when the feedback bit is zero then a 
carry bit that is zero must remain zero whereas if the carry bit is one then by 
probability 1/2 it will turn to zero (assuming random input on the active input). 
If we now assume that the feedback bit is zero a few consecutive time instances, 
then it is very likely that the carry bit is pushed to zero. 

Actually, the same arguments can be repeated when the feedback bit is one. 
Then the carry is more likely to be one and by repeatedly having ones on the 
feedback bit we push the carry value to one. However, for the moment we ignore 
this case. 

Since the feedback bit is a common input to all carries, this has a dramatic 
effect on the carries vector C. We know that C has l = 82 active cells (carry 
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bits) and we can expect that on average C will have a weight of 41. However, the 
weight is strongly correlated to the values of the feedback bit. Every time the 
feedback bit is zero all cells in C that are zero must remain zero, whereas those 
with value one has a 50% chance of becoming zero. So a zero feedback bit at time 
t gives a carries vector at time t + 1 of roughly half the weight compared to time 
t. This behavior is easily checked by just running the generator and observing 
the contents of C. 

Having found this crucial observation, the attack looks almost trivial. We 
assume that we have a number of consecutive feedback bits all zero. This would 
push the carries register to the all zero content. Then 19 more zero feedback bits 
to keep C zero all the time. During this time the generator outputs 20 bytes, or 
160 bits. We can thus reconstruct the main register from knowing these values 
and the fact that C is zero. The only problem is that this does not work. 

4 Describing the Attack 

The underlying ideas of the attack were given in the previous section. However, 
the assumption that a large number of consecutive zero feedback bits would push 
the weight of C to zero is wrong. By simply running the generator we could 
see that this never happened. Once you look at the details, there is a simple 
explanation for this. Look at the FCSR automaton as illustrated in Figure 2, 
especially the last (least significant) active cell c\ among the carries. Assume 
that the feedback bits are zero from time ttot + to and the feedback bit at time 
t — 1 was one. Now since the feedback bit at time t — 1 was one and the feedback 
bits are zero from time t to t + to the last carry addition must return zero to 
the next main register cell. Thus it must set the carry to one. Now, when the 
carry is one the only way we can have zero output and thus zero feedback is 
if the main register input to the last carry addition is one. Thus the last carry 
cell will never be pushed to zero, as we initially hoped. The fact that the carry 
vector and the feedback will not be zero for several consecutive clock cycles was 
actually observed in It was shown that this situation can not occur if the 
FCSR automata has reached a state of the main cycle, which is the case for all 
proposed F-FCSR stream ciphers. 

However, this is not a problem. We slightly modify our approach and then it 
will work. As we described above, the all zero feedback sequence can appear if 
the main register input to the last carry addition is the all one sequence and we 
start with setting the carry bit to one. Then the all zero feedback will push the 
weight of C to one (the last active carry cell is always one). So it is natural to 
define the following event. 


Event Ezeio ■ C(i) = C(t + 1) = . . . = C(f + 19) = (0, 0, . . . , 0, 1, 0). 

When this happens we know that we have had 20 consecutive zeros in the feed- 
back and that the carry has remained constant for 20 time instances. Using our 
previous arguments we would think that we need about log 2 82 w 7 zeros in the 
feedback to push the weight of C to 1 and then an additional 19 zeros in the 
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feedback to keep C constant for 20 time instances. Assuming a uniform distri- 
bution on the feedback bits this would lead to a probability of very roughly 2“ 26 
for the event E Z ero to happen. As we will see in the next section is it possible 
to use more information about the state in order to increase the efficiency of the 
attack. For now, let us just assume that we know how the main register M at 
time t + 1, t + 2, . . . , t + 19 depends on M(t) and that this dependency is linear. 
Assuming that event E Z ero occurs, the remaining part is to recover the main 


register from the given keystream bytes z(t),z(t + 1), . . . , z(t + 19). This will 
lead to a linear system of equations with 160 equations in 160 unknowns. This 


could basically be solved through Gaussian elimination, costing something like 
160 3 operations. However, we observe that the equations have the special byte 
structure explained before. There are 20 equations that only include the main 

register variables mo, ms, mi6, mi52, there are 20 equations that only include 

mi, mg, TO17 , . . . , mi53, etc. Note that we are only shifting in zeros in M due to 
the assumption. 

So it is much more efficient to treat each 20 by 20 system of equations in- 
dependently. Let us describe the received systems of linear equations in more 
detail. We denote the least significant bit of z(t) by z(f)o, the next bit by z(t)i 
etc, i.e., the output byte z(t) at time t is given by 

Z (t) = (z(t) 7 ,z(t) 6 ,z(t)5,z(t)4,z(t) 3 ,z(t)2,z(t)i,z(t)o) . (1) 

MSB LSB 

Then the linear equations involving the main register bits nij when i = 0 mod 8 
at time t can be written as 

z(t) 0 = m 8 © m 2 4 © ... © TO136, 
z(t + 1) 7 = m.24 © rn4o © ... © mi52, 

z(f + 19)5 = m 3 2 © m 4 s © ... © mi 52 . 

Similar equations containing only the main register bits m* such that i = 1 
mod 8 can also be listed. The same then goes for equations using only m; bits 
when i = 2 mod 8, etc. Altogether, we can for simplicity write 

W 0 = (z(t) 0 ,z(t + 1)7, . . . ,z(t + 19)5), 

Wi = (z(t)i,z(t + l)o, . . . ,z(t + 19) 6 ), 


W 7 = (z(t) 7 ,z(t + 1) 6 , . . . ,z(f + 19)4). 

The vector of main register values mo, m 8 , mi6, . . . , 771452 is denoted M 0 . Then 
we get 

Wo = M 0 P 0 , (2) 

where Po is a known 20 by 20 matrix (determined from the filter F). Sim- 
ilarly, Mi, 1 < i < 7 will denote the main register variables (mj,mj + s, 
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TOi + 16 , ■ • ■ ,TOj+i 52 ). With this notation we can write the eight 20 by 20 linear 
systems of equations as 

W 0 = M 0 P 0 ,Wi = MiPi,...,W 7 = M 7 P 7 . (3) 

Of course, some equations need to have 1 added to them since we have to com- 
pensate for the fact that the carry vector is given as C = (0, 0, . . . , 0, 1, 0). 

The idea is now to precompute, for each linear system, the solution Mi for 
each possible value of the vector of keystream bits W;. This would require 8 
tables of size 2 20 entries, each entry being a 20 bit vector. Though, the real time 
phase will be more efficient if 20 bytes are stored in each entry, having values 
only in the bit positions corresponding to the bits in Mi. Then a full candidate 
state can be found by just ORing together the 8 saved contributions. 

Finding the main register content would then require only to compute the 
vectors Wi, 0 < * < 7 from the keystream and then 8 table lookups to get the 
candidate main register state. The part of a candidate main register state given 
by Wi is denoted TABLE, [WJ. 

We can note that the P* matrices are not all of full rank. This means that for 
our table of solutions, some Wi values will have no solutions whereas other values 
will have multiple (a power of two) solutions. This fact will then be combined over 
all 8 systems of equations, leading to a total number of S = n,_o s % solutions, 
where S{ is the number of solutions to the ith system. Thus TABLE, [Wi] returns 
a set of zero or more solutions. 

In our case this property will increase the efficiency of the attack because if we 
get a value Wo for which TABLEo[Wo] returns no solutions we can immediately 
stop and conclude that our assumption of event Pzero was wrong. 

We now summarize our attack as follows. 


0. for t = 1 to T max do 

1. Select the 20 consecutive output bytes z(t),z(t + 1), . . . , z(t + 19). 
for i = 0 to 7 

Compute Wi 

if TABLEj[Wi] has no solutions 
go to 0. 
else 

store all possible values for Mi. 

end for 

3. "Check candidate states": Test all possible values of (Mo, Mi, . . . , Mr), 

by checking if a candidate value generates z(t + 20), z (t + 21), 

4. go to 0. 


5 Improving the Attack Complexity 


In the previous section we assumed that the carry vector was fixed to C(f) = 
C(t + 1) = . . . = C(t + 19) = (0, 0, . . . , 0, 1, 0) for all considered time instances. 
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However we note that this is not necessary. As long as we can express the output 
bits in z(t), z(t+l), . . . , z(t+19) as linear equations in the main register variables 
at time t, the attack will work. 

Denote the state at time t as (M, C )(f) and let x represent bits in the state 
that the output can be expressed as linear combinations of. Let ? represent bits 
that we do not need to know the value of. Assume that the state (M,C)(t) is 
given by 

(M, C)(t) = {xx...xxQ 1^1100,000... 0010). 

16 

Then, the state will be updated as 

(M,C)(f + 1) = (xx...xxO 11. . .11 00, 000.. .0010), 

15 

(M, C)(t + 2) = (xx . . . xxO 11 . . . 11 00,000 . . .0010), 


(M, C)(t + 15) = {xxxxxxxx . . . ££0100, 000 . . .0010), 

(M, C)(t + 16) = {xxxxxxxx . . . ££2:000,000 . . .0010), 

(M, C)(t + 17) = {xxxxxxxx . . . ££££10, 000 . . .0000), 

(M, C)(t + 18) = {xxxxxxxx . . . £££££l,000 . . .0000), 

(M, C)(t + 19) = {xxxxxxxx . . . ££££££, ???????????). 

The only difference from the case presented in the previous section is that 
we should not compensate for the carry bit when computing the state 
(M, C)(f + 18) and we need to compensate for the 1 in the feedback when com- 
puting the state (M,C)(t+ 19). Note that the feedback used when calculating 
(M, C)(t + 19) will cause the carry vector to be unpredictable. However, only 
M(t + 19) is used to extract z {t + 19) and knowledge of the carry vector here 
is not necessary. Using these observations, we can conclude that we only require 
the carry vector to take the value (0,0, ... ,0, 1,0) at least 17 consecutive time 
instances. Thus, we update the definition of E Z e ro to 

Event Ezevo ■ C (t) = C(t + 1) = . . . = C(t + 16) = (0, 0, . . . , 0, 1, 0). 

The probability of E zero has been simulated using in total 2 TB data and 2000 
different keys and is estimated to be 

P{Eze ro) = 2- 25 ' 3 . (4) 

Thus, we would expect that we need on average 2 25 3 bytes of keystream to 
recover the state. 

The attack using the observations from this section has been fully imple- 
mented. The low complexity of the attack allows it to be simulated targeting 
the full version of F-FCSR-H v2. Using 5000 random keys, the state was recov- 
ered using on average 2 24 7 bytes of keystream. The success rate was 100%. The 
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slightly lower amount of keystream which was observed compared to the expected 
amount can easily be accounted for. For each state there are many equivalent 
states and sometimes one of these equivalent states is recovered. As an example, if 
C(f) = C(f + 1) = C(t + 15) = (0,0,..., 0,1,0) but C(i-l) ^ (0, 0, . . . , 0, 1, 0), 
then (M, C)t_i can be recovered if it is equivalent to another state (M', C') 
with C' = (0,0,..., 0, 1, 0). Since the two states will merge after a few clocks, 
the attack will also recover the real state. 

A slight improvement of the attack is achieved by noting that we can also look 
at the situation when the carry vector is one in all active positions except the last. 
The required keystream length will be halved, but the attack time will remain 
unchanged. The same simulation was performed with this improvement and as 
expected the state was recovered using on average 2 23 7 bytes of keystream. 

6 Recovering the Key 

We have described a state recovery attack that completely breaks F-FCSR-H. 
We now outline how we can also derive the key from a known state at any time 
t. In order to shortly describe this, we recall the initialization from the design 
document (reference code) . Inputs to the initialization are a key K of length 80 
bits and an IV of length v < 80 bits. For simplicity we fix the IV length to 80 
bits. 

Key+IV setup 

1. The main register M is initialized with key and IV by 

M = K + 2 80 IV = (IV\\K), 
and the carries register C = 0. 

2. A loop is iterated 20 times. Each iteration of this loop consists in clocking 
the FCSR and then extracting a pseudorandom byte Si(0 < i < 19) using 
the filter. 

3. The main register M is reinitialized with these bytes: 

M =. (<Si9, Sl8, • ■ • , So), 

and C = 0. 

4. The FCSR is clocked 162 times (output is discarded). 

Keystream generation 

Keystream is produced by first clocking the FCSR, then extracting one pseudo- 
random byte using filter F as described before. 

Let us assume that time t = 0 appears directly after 3. in the initialization 
above, i.e., 

M(0) = ($i 9 , S 18 , . . . , So). 

Recall from Section 2 that every state (M, C) is associated with an integer p, 
1 <p< \q\, as the state generate the 2-adic expansion of p/q, where p = M+2C. 
Let us write the value of p at time t as p(t). 
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Now assume that we have recovered the state M and the carries register 
C at some time t. So p{t) is known. Thus p(0) can be derived since p(0) = 
p(t ) • 2* mod q. This gives us knowledge of M(0) = (S19, Sis, . . . , So), since the 
carries register at time 0 was 0. 

Recall that (S19, Sis, ■ • • , So) was the output from F-FCSR-H when the main 
register was initialized with IV and key bits with C = 0. If we for simplicity 
assume that TV = 0, then the remaining problem is to reconstruct the key bits. 
We give a rough outline on how such a reconstruction could be done. A more 
careful analysis might reveal more efficient ways to solve the problem. 

The main register starts asM - (O 80 1 1 /C79 fcyg . . . k\ko) and C = 0. The FCSR 
is clocked once before any output. 

We start by guessing the first 8 key bits k 7 , kg, . . . , ko that control the feedback 
the first 8 output bytes. With known feedback we can describe how every state 
bit can be expressed in algebraic form. Note that as long as we have zero feedback 
the carries register remain zero and we just get linear equations from the output 
bytes. The nonlinearity starts to grow when feedback is one. So assuming that 
the first feedback bit is one, we can examine the equations from the output bytes. 

Similarly as before, let K 0 = (ko, kg , . . . , £72), Ki = (£q, kg , . . . , £73), etc. Let 
£j( Ki) denote some linear function of variables in Ki and let C,;(Ki x , Ki 2 , . . . , Ki n ) 
denote some nonlinear function of variables in Ki x . K; 2 , . . . ,Ki n . Then the re- 
ceived equations for the first output byte have the form 

(S 0 ) 7 = 4>(K 0 ), 

(So)! = A(Ki), 


(So) 6 = C 7 (K r ). 


The next output byte is written 

€s 1 ) 6 = r 8 (K 0 )+4(K T ), 

(5 1 ) 7 = £ 9 (K 1 )+C 9 (Ko), 


(5 1 ) 5 = A5(K 7 ) + C 15 (K 6 ), 


and then 


(5 2 ) 5 =£ 16 (K 0 )+C 16 (K 6 ,K 7 ), 

(S 2 ) 6 = C 17 (Ki)+C 17 (K 7 ,K 0 ), 

C S 2 ) 4 = £ 2 3(K r )+C 23 (K 5 ,K 6 ), 
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and so on. The last one we use is 


(5t) q *£ B 6(^o)+C5 6 (^ 1 ,.. 

..,k 6 ,k 7 ) 

(5t) 6 = Ar(Ki) + C57(K 2 , . . 

• ,K r ,K 0 ) 

(S 7 ) 4 = £63(K7)+C 6 3(Ko,.. 

,K 5 ,K 6 ) 


When Ki appears in the linear expression but not in the nonlinear expression 
in an equation, we can use the equation to eliminate one variable. Starting 
with K7 we have 8 such equations. Since we guessed the first key byte K7 
contains 9 unknown variables. By leaving or guessing one bit in K7 we can 
derive the remaining ones as functions C(Ko, . . . , KsjKg). These functions are 
inserted instead of K7 variables in the remaining equations. Then examining the 
equations and looking for those with Ke only in the linear part gives 7 more 
equations that can be used to eliminate variables. Then the same for K5 
gives 6 more equations etc. Altogether we can remove 36 variables in this way 
and we have to do a work effort of trying 2 44 choices of certain key bits. The 
algebraic expressions we need to test can be precomputed. Observe that if the 
first feedback bit is zero (probability 1/2) the complexity drops to 2 36 , two zero 
feedback bits give complexity 2 28 , etc. 

The key recovery part has not been fully implemeuted but the given arguments 
show that also key recovery can be done with low complexity. 

7 Conclusions 

We have given a very strong attack on the F-FCSR-H stream cipher, a cipher 
that has been selected for the eSTREAM portfolio. The state recovery attack 
has been fully implemented to attack F-FCSR-H using the designers reference 
code. It succeeds in a few seconds using on average 2 23 7 bytes (« 13 Mbyte) of 
keystream. 

The weakness that was exploited is that the FCSR automata sometimes tem- 
porarily (almost) behaves as a regular LFSR. Together with the fact that the 
output filter is linear, the complete cipher became temporarily linear, which 
allowed us to recover the internal state. 
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